I’m not sure but I think Desktop TBB doesn’t and Android does but I may be completely wrong there.
Would it be advisable to stay off hidden services until a patched version comes out in either 12.5.7 or 13.0? And if using safest mode then doesn’t it negate the vulnerability by default? Sorry if these are idiotic questions.
Well there’s some activity on master now https://github.com/mozilla/gecko-dev/commits/master/media/libvpx
It is preinstalled and can’t be uninstalled or deactivated on the Huawei Phone. 
Even more OT:
My next phone will be one SHIFTphone 8 with CalyxOS. Or with a Risc-V CPU (open standard instruction set architecture ISA ) if I can find one.
Onion services are just normal sites with end to end encryption.
I don’t see any specific reason to avoid them.
Click to play should help.
I don’t advise custom configurations, such as disabling VP9, because like any custom configuration might make you fingerprintable.
Sounds like a scheduled update. The Bug has been opened 4 months ago.
ESR 115 is affected, so we’ll receive it too, at some point. 115.4.0esr is being tagged October 16.
OT: Looks like the old Microsoft trick of times past with their pre-installed stuff or even Google of today.
My logic was that onion services are perhaps more liable to attempt such exploits since the likelihood of tracing it back to its source is so low.