Most content sites have login systems that people use to customize their experience, post comments or upload content, etc. Millions and millions and millions of people are logged into content sites and are vulnerable to this attack.

Also, I disagree on the premise that adsense is mostly used on content sites. It's used on all kinds of websites.

Most notably would be the oodles of forums out there that are ad supported and require logging in.

There are sites that make use of sessions without forcing you into using an account. These are also vulnerable.

Well, sometimes for strange values of "vulnerable".

Some of my sites use Apache::Session over non secured http connections, which makes them technically "vulnerable".

The only practical thing an attacker can do with those session ids though, is to mess with some custom visitor tracking in my management backend. So perhaps my information about whether a particular inquiry visited my terms and conditions page or my privacy policy page will be wrong. I can live with that.