According to a recent research conducted at University of Illinois at Chicago by Konstantinos Solomos, John Kristoff, Chris Kanich, and Jason Polakis, they found out that in most modern browsers favicons could be used as supercookie ! Most browsers store Favicons in a separate cache, and even after clearing cache, a site can use a series of Favicons to identify a user.
“A website can track users across browsing sessions by storing a tracking identifier as a set of entries in the browser’s dedicated favicon cache, where each entry corresponds to a specific subdomain.” explained in the paper abstract.
The Supercookies !
The good bad news is that there is no workaround to stay away from this hidden supercookies and all browser seems to be compatible with the attack, exception for Firefox Linux and Brave, and in different scenarios : Incognito, Clear data, Anti-Tracking and VPN.
The paper demonstrated the effectiveness of the use of Favicons powerful tracking vector due to the unique and idiosyncratic favicon-caching behavior found in all major browsers. In fact, cached favicons enable long-term, persistent user tracking that bypasses the isolation defenses of the incognito mode and is not affected by existing anti-tracking defenses.
This is very interesting research paper, as the browsers are developing privacy protection, new tracking mechanism continue to evolve too. A similar paper have been published two years ago about DNS cache based user tracking. So if you care about your privacy you know what to do.
Read research paper here: https://www.cs.uic.edu/~polakis/papers/solomos-ndss21.pdf