Backport of fix shipped in Firefox 58.0.1?
We could think about backporting the sec-critical fix shipped in Firefox 58.0.1:
ESR 52 got audited and this issue was not found there. We could use the backport as a defense-in-depth as it closes out a whole attack vector. The patch is largish, though.