The attack works in current versions of Chrome, Firefox, Android, and laptop computers with light sensors (such as the MacBook Pro) by taking advantage of a design flaw in a special API developed by the World Wide Web Consortium (W3C) that allows websites to interact with ambient light sensors through a browser without the need for user permission. Security researchers were able to use ambient light sensors to detect the color of links in your browsing history, allowing attackers to determine if a link has been visited or not. This makes it possible for malicious sites to violate the same-origin policy, steal cross-origin data, and extract information about the user’s browser history.
Olejnik went on to say that that attackers can essentially discover how a given site or image looks for the attacked user allowing the exfiltration of all image resources and data from any document. This makes it possible to hijack a victim's account from sites that use QR codes for account recovery.
Most troubling is the fact that just last month the Google Chrome team proposed that most sensors, including ambient light sensors, accelerometers, and gyroscopes, should be exempt from the browser permissions system. This means that websites wouldn't be required to seek user permission before accessing the any of the sensors on your device.
Fortunately there is a silver lining: Mitigating this attack is rather easy, as it requires only the W3C and browser makers to limit the frequency of sensor readings and the precision of sensor output. This wouldn't prevent the attack, but as the report noted, it would make it far more difficult to conduct in real word scenarios.