For more info on this issue: Tracking Protection in Private Browsing | Firefox Help
Would require Marketo to work with Disconnect to get removed from the list...
It also happens when you have 'Never remember history' in the History settings, which technically acts as the private browsing mode. CNAME alias won't work if your site is loaded over HTTPS, because of the SSL certificate mismatch. The only solution we've found is to proxy all the communications with your marketo subdomain through your domain. We use mod_rewrite + mod_proxy for this purpose, here is the example .htaccess for apache 2.2:
RewriteRule ^js/forms2/(.*) http://app-sjint.marketo.com/js/forms2/$1 [P,L]
RewriteRule ^form/getForm http://app-sjint.marketo.com/form/getForm [P,L]
RewriteRule ^form/getKnownLead http://app-sjint.marketo.com/form/getKnownLead [P,L]
RewriteRule ^index.php/leadCapture/save2 http://app-sjint.marketo.com/index.php/leadCapture/save2 [P,L]
then, to include the forms2.js from your domain:
<script>MktoForms2.loadForm("//company.com", "XXX-XXX-XXX", 1234);</script>
But with this approach user cookies are not proxied, so ideally you should use this method as a fallback only, the full example is at Solution to Embedded Marketo Forms Not Showing Up in Firefox - Quora
Your Marketo LPs should be running over SSL anyway (there's no barrier except cost).
You can either provide your cert to Marketo, buy their bundle, or (an nearly zero-cost route) use CloudFront and an auto-gen'd ACM cert.