Security teams around the world are parsing the flood of analysis about the side-channel attacks made possible by the Spectre and Meltdown vulnerabilities. Both vulnerabilities enable a range of attacks to compromise cached memory and have left developers, cloud hosting providers, chip makers, and others scrambling to deploy fixes as exploit code proliferates.
While much of the analysis has focused on operating systems, programs and processes, and how memory is allocated, web browsers have also been identified as a potential attack vector.
Safari, Firefox, MS Edge, and Google Chrome are actively working to release new versions that make such attacks far more difficult to execute and enable site isolation by default (or at least easier for users to do so). Patches, at least to begin with, will likely have have limited efficacy and may have additional computational costs. It's critical for developers to identify any vulnerabilities that would permit unauthorized parties from running JS code on their applications, and they should take additional measures, like those outlined by Google. Application owners and online advertising brokers will have a renewed interest in the sources of ads that are allowed to run on trusted sites. Users should exercise caution when allowing untrusted code to run on a visited site and update their browsers as soon as possible.