New Identity bypass
The "new identity" bypass requires no JS and works with highest private and security level that Tor Browser has! The attack works because favicon cache is not truncated. An attacker may spread unique tokens as part of the favicon addressess.
The new identity may be traced to the old one, since we know which token is given to which user and have ability to test if the user has the exact token (use token once, mark it as used and generate more if required). Furthermore, because the favicon connection is not closed when the "new identity" is ran we have also the knowledge that the tor browser is still open. Favicons are flushed when browser is closed.