We are currently performing an in-depth review of this QID to determine the appropriate PCI Status. I believe it will probably be marked as a PCI Failure in the near future. You may want to start investigating possible remediation steps if possible.
You are correct in that this is basically a client side attack (which could play into the PCI Scoring as well), howerver since the risk could allow impersonation of the legitimate user session, this would still need to be remediated on the Server Side, to not allow the weak CBC Mode usage. Security Best Practices indicates Security should be enforced on the Server Side, as you shouldnt rely upon the End User to provide their own security.