Turns out it is still a threat - fixed in documentation i.e. another reminder that JavaScript is a PoS.
Talking about unfixed threats, the homograph/punycode issue is still a problem.
http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/very-hard-to-notice-phishing-scam-firefox-tor-browser-url-not-showing-real-domain-name-homograph-attack-punycode/8373
Still unfixed in Tor Browser/Firefox if you look at about:config.
If there is no fingerprinting risk, why not implement an option for toggling network.IDN_show_punycode to true on first use of Tor Browser? It would also be noted that non-Latin language users e.g. Chinese, Japanese etc. should not make any change due to garbarge appearance. (That’s millions of websites BTW).
Also, that investors page reminds me that any budding investor will want to see semi-regular census results - probably 6 monthly updates would be sensible to show Whonix is on the up and up. I expect by now that you have more than 10K estimated daily users, which is a steep growth trajectory in recent times.
If I had free $ or wanted to advertise on the Whonix website, that would probably convince me.