AFAIK NoScript whitelists don't respect first-party isolation (so a JS-enabled website can be included in a JS-disabled website), which makes it a relatively simple coordination problem between website A and B (possibly automated by a third-party tracker included in both A and B).

In any case, first-party isolation can be subverted: https://news.ycombinator.com/item?id=17947605