The title reads like someone found a new exploit. There's no actual content in there, instead plain wrong information.
The code in spectre.c won't compile or work on JS or WASM because it uses high-precision timing intrinsics not available in the browser sandbox. It was possible to exploit performance.now(), but all browsers have released updates which reduce precision of perf.now() dramatically.
May be there are other time sources lurking somewhere in the browser which could be exploited, but the article is just spreading FUD.
There is no proof of concept here. Carry on.
I wonder if the author actually tested this.
There is no cache flushing in asm.js or wasm, so a key component of the example spectre.c, "mm_clflush()" is a no-op.
Even if the example were to compile, I don't see how it would work as is. It might be possible to attempt an alternative attack where you attempt stuff the cache and determined what got evicted, but that is a different attack and certainly not in the vein of "just recompile your c/c++ based exploits for the web".
I'm too lazy to compile the example. Would be nice if they had some actual proof that didn't require my commission.
the idea4good code was posted here some time ago. After reading the comments I think it's flawed and doesn't demonstrate anything.