That's exactly what I'm saying --- in the real world, exploits tend to be wrapped in JS even if they don't technically need it.
but it's not the substantial weakness in browser vulnerabilities
Then what is? My real-world experience also correlates.
HTML (non-JS) parsing, memory corruption, image processing, filetype validation and process isolation/sandboxing.
That's exactly what I'm saying --- in the real world, exploits tend to be wrapped in JS even if they don't technically need it.
but it's not the substantial weakness in browser vulnerabilities
Then what is? My real-world experience also correlates.