Backport of fix shipped in Firefox 58.0.1?

We could think about backporting the sec-critical fix shipped in Firefox 58.0.1:

https://hg.mozilla.org/releases/mozilla-release/rev/c2db4a50dc5c93b44852d9a5201f7ec062ecc6cb

ESR 52 got audited and this issue was not found there. We could use the backport as a defense-in-depth as it closes out a whole attack vector. The patch is largish, though.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information