Why is this an issue?

Calling Security.allowDomain("*") lets any domain cross-script into the domain of this SWF and exercise its functionality.

Noncompliant code example

Security.allowDomain("*");

Compliant solution

Security.allowDomain("www.myDomain.com");