I really wish people would refrain from posting clickbait sensationalistic blog articles full of misinformation (yes, I’m referring here to the “bleeping” FUD that you linked). I guess this is a sport now that Lastpass got in trouble — trying to take down the “next” password manager product.
The only valuable piece of information in that blog is the link to the Flashpoint report that the blog author is plagiarizing paraphrasing (and poorly at that). And the link to that source was already posted by @mookbav in the comment just above yours.
With regards to the original report by Flashpoint, they describe a well-known, but tricky issue related to balancing legitimate use of iframes by some websites (e.g., iCloud.com) vs. the rare possibility that an advertiser can abuse this function. As noted earlier in this thread, Bitwarden recently released a patch that prevents auto-filling in iframes that have been sandboxed. Flashpoint has not provided any working proof-of-concept demo that can be tested without paying them (!), so it is possible that this latest patch fixes whatever they claim they found. Furthermore, they admit that the only “vulnerability” they found can be readily mitigated simply by changing the URI Match Detection option from Base domain to Host.
All of this just smells like an attempt by Bleepingcomputer and Flahspoint to profit from spreading FUD.