Backport of fix shipped in Firefox 58.0.1?
We could think about backporting the sec-critical fix shipped in Firefox 58.0.1:
https://hg.mozilla.org/releases/mozilla-release/rev/c2db4a50dc5c93b44852d9a5201f7ec062ecc6cb
ESR 52 got audited and this issue was not found there. We could use the backport as a defense-in-depth as it closes out a whole attack vector. The patch is largish, though.