I just created a post (The MongoDB instance used by cryoSPARC appears to be wide open) addressing this same issue (not knowing someone had already asked about this).
It seems that only the worker nodes need access to the MongoDB port? Consequently I opened the firewall on the cryoSPARC server up to port 39000 only, and this seems to be working without exposing a world-writeable database to the internet. The full range of ports (39000:39010) is open to the cryoSPARC worker nodes. Port 39000 goes to the web interface, which is password protected.