In this paper, the authors show that under realistic assumptions, it is indeed possible to bypass TRR directly from JavaScript, allowing attackers to exploit the resurfaced Rowhammer bug inside the browser. In addition, their analysis reveals new requirements for practical TRR evasion. For instance, they discovered that activating many rows in rapid succession as shown in TRRespass may not always be sufficient to produce bit flips. The scheduling of DRAM accesses also plays an important role.
You can download it from the following link: https://packetstormsecurity.com/files/download/162192/smash_sec21.pdf
Source: https://packetstormsecurity.com/files/162192/SMASH-Synchronized-Many-Sided-Rowhammer-Attacks-From-JavaScript.html