The vulnerability doesn’t make sense though.
Sure, someone can clone your YubiKey.
But they can also just tap to log into any website they want without cloning it if they stole it.
Discussion
Does it reveal which websites they have keys for? I assumed that was the issue.
No. You can already do that without an attack if you use resident keys. (aka passkeys *without* a username)
This only means that someone with your PIN and extended access can clone it.
Did y'all read the vulnerability in detail? If you don't have access to near perfect lab conditions and incredibly expensive high-end equipment you cannot do this. In other work, this is a theoretical vulnerability for most. I was able to switch to new Yubikeys, but transitioning my passkeys and other creds was a PITA.