Allowing code access the Session ID cookie increases the vulnerability to session hijacking attacks.
Enable this setting. From Setup, enter "Session Settings" in the Quick Find box, then select Session Settings. Then enable "Require HttpOnly attribute".
Time to fix
This rule is linked to Common Weakness Enumeration CWE-284 Improper Access Control.