I hear the early mitigation for Spectre is to disable SharedArrayBuffer.
To test whether this has been done, load the one-line file
into cefclient (a file: url works). If the alert says "unknown", it's disabled.
I just tested my builds of cef. 2526 and 2704 appear to not support SharedArrayBuffer, but 3112, 3202, 3239, and 3282 do.
On January 5th, cef 3282 updated to Chromium version 64.0.3282.71. However, this does not seem to be new enough, as https://chromium.googlesource.com/chromium/src/+log/64.0.3282.89 shows a commit on Jan 6th that disabled SharedArrayBuffers: https://chromium.googlesource.com/chromium/src/+/62fc5a081ba836bf4983f3b3ff4ec08382ac4c25
Time to pull from upstream on the supported branches, if you're not already in the middle of it?