Browser code execution
If browsers were just that without the ability to run code then the vast majority of these attacks would not be possible.
Unfortunately advertisers want the ability to execute code on the users computers (where the cost is born by the users) rather than on the servers (where they would have to bear the cost) and also want to be able to extract as much data about the users as possible..
For a safe browsing experience the browser should only execute HTML with no scripting or invoking other programs - however almost all sites now require the browser to support active scripting (shades of Internet Explorer and ActiveX!!). Now often even the website authors do not know what code the users are being asked to execute as their code pulls in code from other libraries which then pulls in further code.
It is getting to the point where the only safe way to run a browser is in a VM with no persistent storage using a Linux live CD (or DVD) image.
Even with Noscript, Spybot S&D and Norton Security (and using Firefox instead of IE or Edge) all too often browsing seems like treading a path through a minefield!!!
Icon for what should happen to the people who insist on browsers having active scripting ============>