Bloopist was alerted to a CORS vulnerability by Jens Mueller on August 21, 2017. That vulnerability is now patched. More details can be found in Fixing CORS Security Holes.