So, the script creates an (invisible) <img> element for every website which points to the login page (which might redirect to the favicon). If it receives an image, the user is already logged in and the onLoad() callback will fire. Otherwise, it will get an HTML page, so the onError() callback will fire.
It could work with any image on the website, not just the favicon.
I reported this bug to every company listed there, but all of them said it is not relevant to their users' privacy.