XSS and CSRF are not the only client-side attacks.