Refresh token rotation (which was recently released) is another solution. Check the discussion here: Call to authorize fails on Safari - #5 by thameera
The newer versions of SPA SDK lets you use localstorage as an option to store these refresh tokens. See the note here: Auth0 Single Page App SDK