Sorry to rain on your parade, but people who practice safe computing can still be compromised by malware, ransomware, etc. Ads that pop-in from even Google's ad rotations have been known to carry malicious content added after they've been vetted by Google. This is one of the known ways RansomWare has been pushed onto supposedly locked down computer networks.
Another way with Meltdown could be exploited is to hide malicious code in a steganographic image that could be called by a process loaded in another "look ahead" loaded into another. Javascript was just one modality of attack presumed as a means of using this vulnerability. The real problem associated with Meltdown and the look-ahead processing is that it can be exploited by so many other means until a way is found to vet the looking ahead processing that now is independent of any such vetting. ANYTHING can be stuck in there. If it IS useful to what is needed, it's used. If not, it's discarded. That look-ahead has access to the bus. . . and any data on it.
All a bad actor has to do is figure out how to insert his code in there—and no, it does not have to be a .exe file, just machine code—and it WILL be processed.
PLUS.....if a malware, virus or bad code is ‘new’ and never seen before, the ANTI-virus programs won’t know it and won’t do anything, just like your body’s immune system..........
But I think the fact that the current types of attacks have been talked about: https://pdfs.semanticscholar.org/e544/00824814fed2ef52bb84151b2fc04c863e99.pdf but not exploited from vectors like Javascript should be reason enough to not be too concerned.
Another way with Meltdown could be exploited is to hide malicious code in a steganographic image that could be called by a process loaded in another "look ahead" loaded into another.
As I have been pointing out, in every comment I have made, that requires running malicious code. It doesn't matter if that malicious code triggers other malicious code stegged into an image. It requires malicious user-mode code to start with.
All a bad actor has to do is figure out how to insert his code in there—and no, it does not have to be a .exe file, just machine code;and it WILL be processed.
Sure machine code will be processed. But arbitrary machine code cannot be processed from Javascript unless there is a bug in the JS machine that allows that. There have been such bugs, but this CPU flaw does not make them more likely. Also protections built into JS machines after rowhammer (which never really worked) also preclude the use of this CPU flaw.
Bottom line: malicious code has to run. There are not so many means to do that. Javascript is not one, nor is Flash, nor Java. I would not be too concerned. But given my second PDF link above, I would not be complacent either. I would practice safe computing even more vigorously given the new situation with Intel.