For the life of me, I couldn't understand what that meant until I had examined the output closely in Burp. When you have a Cross Domain Referer leak, it means that the target is leaking certain url that contains sensitive information such as password reset tokens, private invites, email address, etc.
Since most leaks happen to go to analytics, always check all output of adjacent requests to ensure that the following is not present:
1. Javascript/DOM output containing output to analytics.
2. CSP (Content Security Policy) trust between target analytics.
If none of those are present, safe to say you have a valid bug. If you have leaks to google analytics or doubleclick also owned by google, high probability those bugs will be closed as Informative because the victim sites already established trust between those sites so any leaks to it are considered acceptable risks.
Good luck in bug hunting boys!
