Anyone with the ability to inject or modify packets in the network path between server and client can inject malicious javascript or browser exploits into an unencrypted HTTP TCP stream. The client’s User-Agent and other headers would allow the attacker to customize their attack to target that specific browser version, and compromise the client machine.