the vulnerability was fixed upstream by mozilla anyway