Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to tell browsers to give a web application running at one origin (domain, protocol, or port), access to selected resources from a different origin.
A web application executes a cross-origin HTTP request when it requests a resource that has a different origin from its own.
The main functionality of the CORS policy is to prevent Site A from requesting data from Site B through most commonly an AJAX request.
Essentially it can be used to steal credentials, API keys and other malicious activity.
Additionally you could use an iframe as well to frame content from another site (if they have a misconfigured or poor CORS policy) allowing you to directly steal credentials, clickjack and a variety of malicious activity.
Portswigger has a great article showing how CORS can easily be exploited when misconfigured.
Article Excerpt: Thanks to the rapid growth of JavaScript frameworks such as Angular, Vue, and React, CORS has become a popular word in the developer’s vocabulary.
When requesting information from an external source such as an API (a pretty common practice for client-side JavaScript code), the origin of the resource must tell the web browser which domain, HTTP method, and header are allowed to request the resource.
This is possible and easy to do with the Cross-origin resource sharing (CORS) headers — the most common being Access-Control-Allow-Origin, Access-Control-Allow-Methods and Access-Control-Allow-Headers.
Continue reading A Quick Glance at Cross-Origin Resource Sharing Security Headers at Sucuri Blog.