Cookies can be restricted based on their domain or path. This check just looks at domain scope. A cookie’s domain scope specifies which domains may access it. A cookie, for example, can be rigidly scoped to a subdomain, such as www.nottrusted.com, or loosely scoped to a parent domain, such as nottrusted.com. In the latter situation, the cookie can be accessed by any subdomain of nottrusted.com. Loosely scoped cookies are widespread in mega-applications such as google.com and live.com. Cookies set from a subdomain, such as app.foo.bar, are only sent to that site by the browser. Cookies restricted to a parent-level domain, on the other hand, maybe sent to the parent or any subdomain of the parent.
Always scope cookies to a FQDN is the solution (Fully Qualified Domain Name).
You may use zofixer.com to check your website for the Loosely Scoped Cookie vulnerability for free.