Found below vulnerability in CA performance management application.

Cookie(s) without SameSite=strict flag set

Description :-The SameSite cookie attribute is used by browsers to control cookie requests and increase

security. SameSite prevents the browser from sending this cookie along with cross-site

requests. This mitigate the risk of cross-origin information leakage. It also provides

protection against cross-site request forgery attacks.

Release : 21.2

Component :

The difference is strict will never send any PM cookies when going to PC from another host (link). And Lax will not send any PM cookies unless you navigate to the PC from another host (link).

If the URL doesn't change (aka loading image from PC in a diff site), then PM cookies aren't sent.
Both cases, unless you navigate to PC, browser shouldn't send any PM cookies it has.
Strict just makes it that coming from another site, will always require login to PM.

An Enhancement Request has been raised #32994750 - Defect # DE526546