I wonder if they are actually possible. Remote code execution in the javascript engine does sound dangerous, but then you also have to get past address space randomisation, and then you need another exploit to escape the sandbox...

Right, all of which get patched every update as well. In theory chaining them together is doable, it’s just effort.