HEIST allows compression-based attacks such as CRIME and BREACH to be performed directly in the browser with no network access required. The attack can be triggered simply by a JavaScript file, which may be hidden in an web advertisement or hosted directly on a webpage. The only mitigation is to disable the third-party cookies, since responses sent by the HTTPS site are no longer associated with the victim. Someone is going to have to get very smart and figure out a way to blunt this kind of attack before it leads to a massive problem.”]
Source: https://securityintelligence.com/news/heist-uses-a-cryptographic-scheme-to-steal-data/