I looked at the crossdomain.xml files in the source and they're all:
<?xml version="1.0"?><cross-domain-policy><allow-access-from domain="*" /></cross-domain-policy>
There is absolutely no need to keep a site wide open like that. All entries should be at least double-dotted if they are to be wildcard entries or put the complete TLD in. There should probably also be a DTD in there. For example:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="yourdomain.com" />
<allow-access-from domain="*.yourdomain.com" />
</cross-domain-policy>
If BoonEx needs access to your domain to serve the Flash ads, then you may need to add their domain in there too, I'm not sure. I do know that <allow-access-from domain="*" /> completely opens your site up to cross-domain exploits. Frankly, unless it's against the terms of use or license, I wouldn't even allow the BoonEx domains in there.
Login cookies would appear to be safe since they are sent as HTTP-only, but I'm not a Flash expert so I don't know what privileges would exist beyond that.
