Does CORS causing privacy leaks?

First, I am aware of decentraleyes, but it does not answer my question. I want to ask how is CORS resources cached locally?

Let me describe the problem here. Say a analytics company A wants to link user profile on website B and C. It creates a CORS URL called A.com/track.img, every time requested the URL gives a random QR code.

Website B and C embed this url as hidden image on the website and embed a script which reads the QR code. So when a user first visit site A and then visit site B will have the image cached and hence both script may see the same QR code. As a result, the companies may be able to link the access.

Does this cause a privacy leak?