Yes, the victim can be a different site. Cloudflare's post mentions this:
"
Because Cloudflare operates a large, shared infrastructure an HTTP request to a Cloudflare web site that was vulnerable to this problem could reveal information about an unrelated other Cloudflare site.
"
https://blog.cloudflare.com/incident-report-on-memory-leak-c...
