So it's been trivially easy to protect desktop browsers (IE/FF) but it's mobile devices which you are most likely to connect to random, possibly malicious net-works.
My win 8.1 phone is vulnerable and I can't find anything regarding a patch being in the pipeline (not that I'd use a mobile device on a public wifi for anything sensitive mind).
The stock android browser on JB 4.1 is vulnerable too and I can't see that being updated in the push to Chrome. I bet a lot of android device users that have the stock browser still use it.