@dutch I really appreciate you help spreading awareness. There's lot of confusion and panic around this issue which isn't really necessary atm.
I'm not saying you do but there's a lot of FUD about this as well.
So far there are no known exploits and it would require quite some skills to actually use it. Let alone from a website's javascript. Theoretically it might be technically possible but would require a huge effort to actually steal a password that way. Javascript is an interpreted language and without control over the interpreter etc I think it's practically impossible. I do expect malware to surface but this isn't the casual OS hole.
Second the 30% is a maximum under certain circumstances of test on *nix (don't recall which one) and I'm not sure if it was with firmware update or not. If I recall correctly it mentioned between 5 and max 30%. Kaisar is also *nix only and not Windows. You can off course expect memory intensive applications to get hit, but not every application is memory intensive and certainly not all the time.
Spectre's impact can be lowered by firmware changes which Intel already released. Spectre is also present on ARM so and thus smartphones and tablets (depending on the chip) are affected. So if you want to be on the safe side of everything you'll need to update your firmware as well. Good luck average PC user...
Techspot actually released an update on their test with Meltdown update and Spectre firmware patch and it seems the impact is not as bad for normal PC usage.
Yeah, browsers (plugins/scripts) are always a big security problem (maybe the big?) . In my opinion as users the first thing to do it's to limit the use of plugins and use a solid and updated browser: as you said, scripts are interpreted, and browser manufactors are able to fix/limit the interpreter (for example firefox now have somehow patched the issue hiding the leak by disabling timers and the SharedArrayBuffer ).