Yeah, disabling or suspending JS in background tabs would definitely kill this version of the attack. However, our attack also isn't limited to JavaScript -- many of our experiments in the paper are implemented with a Python attacker. It can be implemented in basically any programming language and embedded in any application on your machine.