Not sure what you mean by that, but before they implemented any mitigations, it had a CORS policy that allowed requests from any origin. As far as I know, Chromium is the only browser platform that has blocked sites from connecting to localhost, so users of other browsers would be vulnerable, and so would Chrome users if they could be convinced to allow a localhost connection.
alt Hacker News
Not sure what you mean by that, but before they implemented any mitigations, it had a CORS policy that allowed requests from any origin. As far as I know, Chromium is the only browser platform that has blocked sites from connecting to localhost, so users of other browsers would be vulnerable, and so would Chrome users if they could be convinced to allow a localhost connection.