The article specifically says the offending pages used JavaScript to add the ping attribute to the <a> tags, so the attack wouldn't have worked against users with JS disabled anyway.

It doesn't use Ping on Chrome browsers. For example, this is how the a tag looks like on Chromium:

<a href="https://news.ycombinator.com/" data-ved="2ahUKEwiIxrz0jKDzAhUWHcAKHQnnArkQFnoECAcQAx" ping="/url?sa=t&amp;source=web&amp;rct=j&amp;url=https://news.ycombinator.com/&amp;ved=2ahUKEwiIxrz0jKDzAhUWH...">

and this is how it looks like in Firefox:

<a href="https://news.ycombinator.com/" data-ved="2ahUKEwj9i67MjKDzAhXUfMAKHWJcCYsQFnoECA0QAx" onmousedown="return rwt(this,'','','','','AOvVaw3F-2xUE22tTvOxNDwVufx-','','2ahUKEwj9i67MjKDzAhXUfMAKHWJcCYsQFnoECA0QAx','','',event)">

You can see that Chromium based browsers call a ping endpoint whereas Firefox browsers use a mousedown event. This device detection uses the user agent; changing it on Firefox to look like Chrome results in a ping attribute instead of mousedown.

My understanding of the actual amplification vector is that the JS is just obfuscation on top: they could have just as easily deployed static HTML with those attributes.