If the user did not intend to do the action that the malicious site had their browser perform for their account, it is by definition CSRF. The other site forged a request from the user.
Facebook might not care, but it is obviously a vulnerability. Sites can forge likes from users (which IIRC appear on timelines?).
Facebook does care. Allowing like buttons on third party sites was (at least historically) a major part of their business. Its not like they are just being apathetic here - they actively want people to be able to like things from outside of facebook and put in effort to make that happen.
They're clearly aware of the vulnerability if they close accounts for exploiting it. Techniques to prevent it are well-known and allegedly they have lots of skilled engineers. But those techniques would increase friction a little bit, so they've evidently decided they don't care about the vulnerability.
Seems less like a vulnerability and more like a violation of ToS. Doesn't each involved party have an account? Is there a way for an otherwise unrelated third party to exploit this?
Its not that techniques are known to prevent this issue. It is prevented by default. Facebook has to take active steps to make this work. If they did nothing there would be no vulnerability.
Facebook might not care, but it is obviously a vulnerability. Sites can forge likes from users (which IIRC appear on timelines?).