The latest version of firefox, 34.0.5, no longer allows HSTS Super Cookies set in regular mode to persist in private mode. Greenhalgh said this fix is recent and produced screenshots showing his PoC worked on version 33 of Firefox, at least when running on Windows. Firefox 34.0.5 continued to allow multiple websites access super cookies. Chrome on Windows remained fully vulnerable, as did Chrome and Safari running on an iPad tested by Ars. Internet Explorer isn’t vulnerable because currently supported versions of the browser don’t support HSTS.
