Even scarier to me than the vulnerability is that Fidelity (whom I personally think is a good bank and investment company) was using a third party that allowed injection that could potentially steal a whole lot of money, affect markets, ruin or terminate billions of lives, and affect the course of humanity. What the fuck.

If it weren't already in the same domain you wouldn't be able to read a non-HttpOnly cookie anyway, so that's moot.