Also, lying the visited state on JS was implemented as early as Firefox 4 - so it is definitely not a JS-dependent "exploit" (rather, it's a rather oblique way of social engineering).