This android only.

From the article:

Meta managed to do this even when:

• You aren’t using the app (but have a session open in the background).

• You haven’t logged into your account in the browser.

• You’re browsing in incognito mode.

• You’re using a VPN.

• You delete cookies at the end of every session.

The captured data includes:

• Complete browsing history with specific URLs

• Products added to cart and purchases made

• Registrations on websites and completed forms

• Temporal behavioral patterns across websites and apps

• Direct linking to real identities on social networks

You’re not affected if (and only if)

• You access Facebook and Instagram via the web, without having the apps installed on your phone

• You browse on desktop computers or use iOS (iPhones)

• You always used the Brave browser or the DuckDuckGo search engine on mobile