The second report is closed as informative that means it's not a valid bug. for this to be impactful the attacker has to redirect the user to his malicious page than steal those tokens using the Referer header from the victim request.
@@Medusa0xf If you take a look again at the report you will see that it's closed as informative that means it's not a vulnerability, as he didn't show a real exploit senario, and it's not vulnerable to man-in-the-middle attack because it's secured as https method. Btw are you active on hackerone?