According to https://support.mozilla.org/en-US/kb/firefox-esr-release-cycle:
Maintenance of each ESR through point releases is limited to high-risk/high-impact security vulnerabilities, and in rare cases may also include off-schedule releases that address live security vulnerabilities.
Are there known moderate- and low-risk vulnerabilities in TBB? Does Tor team backport fixes for such vulnerabilities from non-ESR versions of Firefox?
The week preceding every Firefox stable non-ESR release we do perform our own vulnerability assessments based on Tor Browser users’ specific threat model, needs and configuration (e.g. already disabled features), which may differ from those of the general Firefox audience.
Then we backport to our Tor Browser code branches any security patch which has not already been uplifted to ESR by Mozilla and which we deem required for our users.
I’ve just finished today this (usually) monthly task of mine 
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.