The software uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.