From a cursory review of the FAQs on the page it appears one mitigation might be to only keep one browser tab open at a time? They appear to be using timers and a cache eviction gadget to infer the state of other browser tabs/processes so it’s unclear what they can recover if you are not concurrently having a session to a particular site outside the gadget execution context. ???
They use window.open on a mouseover event listener to open another page. Even if you close it, they still are able to read from it as that memory isn't immediately zeroed or returned to the OS.
Besides windows.open I'd wonder if iframes could also be vulnerable if they launch in the same process.
Chrome and Firefox both support Out-Of-Process Iframes as part of their security setup; though I'm not sure if Firefox has it enabled by default yet. Firefox even drew some lovely pictures about it here: https://hacks.mozilla.org/2021/05/introducing-firefox-new-si...
