Apple has added two mitigations to its Safari’s WebKit engine that addresses both sides of the attack: where tracking identifiers are created, and the subsequent use of invisible pixels to track users. HSTS can be abused as a’supercookie’ to surreptitiously track users of almost every modern web browser online without their knowledge even when they use “private browsing” Apple does not name any individual, organisation, or any advertising firm that was using HSTs supercookie tracking to target Safari users.
Source: https://thehackernews.com/2018/03/hsts-supercookie-tracking.html