- If someone gain physical access to my computer will they be able to use those said attacks to decrypt my files?
No, there needs to be an active implementation of AES for these attacks to work; unless the attacker can startup a service that acts on the plaintext or ciphertext data, padding and side channel attacks are not possible.
- Let's say they where able to copy the encrypted files and the encryption program that uses CBC on a USB stick but not the key. will they have chances of decrypting the files?
No, padding oracle attacks are not possible without the key. It says nothing about the plaintext if an unpadding error occurs when using the wrong key. Side channel attacks are commonly used to get to the key value, but here the same problem occurs, having information about the foreign key or decryption with the foreign key will not give any indication of either plaintext or the key.
Notes:
- Padding oracle attacks are part of a family of plaintext oracle attacks; both of them obviously require a decryption oracle to work.
- On the other hand, side channel attacks are themselves a family of attacks; what you are alluding to seems to be side channel attacks based on response time; other attacks are e.g. attacks based on (differential) power usage.
- Plaintext oracle attacks simply require the oracle: any active component that is willing to decrypt and leak enough information about the plaintext for more of the plaintext to become available; they don't necessarily require the Internet - any connection would suffice, the faster the better.
- The same basically goes for side channel attacks; any information retrieved from the cipher operation that is related to the key (or, less commonly, the plaintext) could convey information to the attacker; the more access to the cipher operation the better.
