Browser problem, not site problem
To be sure, this definitely is a problem, and we've known about it for a very long time. However, contrary to what these "experts" claim, it is NOT a problem with cPanel, Linksys, or Netgear. This is a problem with BROWSERS. It is the browser which is not protecting an authenticated session. It is the browser which is allowing a web page from one domain to make/redirect requests to another site, especially a protected site. And it is the browser which allows this redirection to be executed via Javascript.
One might argue that sites should be allowed to make/redirect requests to other domains, and I would be open to that argument. I do not, however, understand why browsers do not protect authenticated sessions. By requiring authentication, you (the website) are telling the browser that the site is protected by user authentication, so why do browsers allow other domains to make requests to the protected site? If a request for the protected site comes from any site other than the protected site itself, the browser should, at the very least, alert you to that fact and prompt for your authentication credentials again.
Personally, I never understand why you can't treat each browser window (and now tab) as its own session, separate from other windows and tabs. This is, once again, a problem in the way browsers access a website, which is something the website has literally no control over. If the browser wants to share the user's authentication status among all open windows and tabs, there's not a damn thing the website can do about that.