Mozilla Confirms Web-Based Execution Vector for Meltdown and Spectre Attacks

This is why it was always a good idea to install NoScript in default deny mode, and then only white-list select domains that you believe you can trust.