The Firefox 115.15.0esr is vulnerable yes however there has been Fx 115.16.0esr and Fx 115.16.1esr updates since Fx 115.15.0esr. There has also been Fx 128.3.0esr and Fx 128.3.1esr updates since the Fx 128.2.0esr you mentioned.

The older Firefox 115 ESR channel is planned to have updates till Fx 115.21.0esr in March 2025, though in early 2025 a decision will be made on whether to extend or not.

Fx 115.16.0esr: https://www.mozilla.org/security/advisories/mfsa2024-48/ Fx 115.16.1esr: https://www.mozilla.org/security/advisories/mfsa2024-51/ Fx 128.3.0esr: https://www.mozilla.org/security/advisories/mfsa2024-47/ Fx128.3.1esr: https://www.mozilla.org/security/advisories/mfsa2024-51/

https://www.mozilla.org/security/known-vulnerabilities/firefox-esr/ Firefox Release Notes: https://www.mozilla.org/firefox/releases/

The CVE-2024-8387 may have been a vulnerability found in later versions after Firefox 115.0 as to why it is not listed for any Firefox 115 ESR version. The Firefox 115.0 ESR is based on the Firefox 115.0 Release but with security/stability fixes since.

I appreciate the report that CVE-2024-8387 has been patched, but I cannot find it expicitly mentioned in any of the patches for 115 ESR. What w need to know is, was 115.15 or earlier vulnerable (or to your point, was the functionality that was vulnerable made in a product update that was not changed until after the 115 ESR branch was split off).

Neither 115.16, 115.16.1 or any other advisories mention it. We cant assume it is or is not vulnerable as the NVD pages indicates all versions below 128.2, which implies that the only way to resolve it is to go to 128.2 ESR or higher.

See also:

• https://www.google.com/search?q=firefox+CVE-2024-8387
• https://cvefeed.io/vuln/detail/CVE-2024-8387