Cross-domain loading may allow a remote SWF to have unintended access to the loader's domain and data.
If the loading SWF imports the remote SWF file into its security domain, then the loaded SWF could gain access to the parent SWF's data and relay that data back to an attacker.
Although there are more granular threats that could be defined within a specific context for any SWF file, this overview covers the high-level threats common to most SWF deployments.
A remotely loaded SWF may try to render its controls over the top of the loading SWF in an attempt to perform a spoofing attack.
By overlaying the parent SWF, the malicious SWF can hijack control from the loading SWF file.
A Flash application may receive malicious data injection from several types of interfaces.
For example, it is common for Flash Vars to be set via the Object tag within the HTML.
Note: This article was originally authored for Adobe Flash Player 9,0,115,0 and has been updated for Flash Player 10.