From internal leaks within the company as well as external analysis, the tip of the iceberg behind Facebook’s spyware empire is exposed. Take a look to better protect yourself when you’re not even on the platform: https://simplifiedprivacy.com/facebooks-corrupt-off-platform-surveillance/
You cannot do a whole lot without JS to be honest. My comment was not about Facebook but fingerprinting in general, though I kinda forgot to mention. I suspect finger-tracking strategies are kinda trade secrets so it probably varies. Running a VM still expose your VM settings, which basically let them track your VM around. This is the insidious thing about fingertracking, you can be followed around with spoofed data just as well. The very first time you will login anywhere, whether you use a VM or a VPM everything you touched with those settings will now track back to you.
Every time I see people talking about privacy solutions and suggesting to disable and block JS, I’m just completely dumbfounded. It’s not 2005 anymore. Most of the web these days is driven by JS. Nearly every web app you interact with, every site that has dynamic content, etc. all use JS. Disabling it entirely simply is not an option. You can find ways to selectively block certain origins, but that’s it. And trying to run noscript and just whitelisting only the things you absolutely need is a phenomenal amount of work. I know. I used to do it. It got really tiresome. Every single site is broken by default, and then you have to spend 20 minutes trying to find which scripts you have to whitelist to make a site functional.
I’m not saying this to be defeatist, but to be honest about the kind of work it takes and why we need to find seamless and user-friendly ways to block the kinds of things FB does.