You cannot do a whole lot without JS to be honest. My comment was not about Facebook but fingerprinting in general, though I kinda forgot to mention. I suspect finger-tracking strategies are kinda trade secrets so it probably varies. Running a VM still expose your VM settings, which basically let them track your VM around. This is the insidious thing about fingertracking, you can be followed around with spoofed data just as well. The very first time you will login anywhere, whether you use a VM or a VPM everything you touched with those settings will now track back to you.