Mozilla has once again extended the support window for Firefox 115 ESR, giving users on Windows 7, Windows 8/8.1, and macOS 10.12-10.14 a reprieve until at least March 2026. The move, confirmed in Mozilla’s updated release calendar, ensures that the aging browser branch will continue to receive critical security patches for another six months beyond its previous deadline, with a formal re-evaluation scheduled for early 2026.
This is not the first extension. Firefox 115 launched in July 2023 as the final feature release compatible with those legacy operating systems, after which Mozilla transitioned those installations to the Extended Support Release (ESR) channel. Originally, support was expected to sunset in 2024, but user telemetry and operational pragmatism have led to repeated stay-of-executions. The latest push to March 2026 underscores both the stubborn persistence of legacy OS usage and Mozilla’s careful balancing act between security responsibility and maintenance cost.
What Has Changed – and What Hasn’t
The fundamentals remain unchanged. Windows 7, Windows 8, and Windows 8.1 have been unsupported by Microsoft since January 2020 and January 2023, respectively. macOS versions 10.12 (Sierra), 10.13 (High Sierra), and 10.14 (Mojave) similarly receive no new security updates from Apple. Mozilla’s decision does not alter those platform realities; it only means that the Firefox browser itself will continue to be patched against known vulnerabilities on those systems.
Specifically, the ESR 115 branch will receive security-only point releases and emergency fixes where necessary. No new features, performance improvements, or changes in behavior will be backported from the current Firefox streams. Meanwhile, ESR 128 remains the mainstream extended-support branch for modern operating systems and continues to receive full updates.
Users still running Firefox 115 on these older platforms should see automatic updates to the latest ESR 115 point release, provided auto-update is enabled. Enterprises can manage this through Firefox’s built-in enterprise policies, which allow administrators to pin specific ESR versions or control rollouts.
Why Mozilla Keeps Extending ESR 115
The repeated extensions are not arbitrary. They reflect a data-driven approach informed by Firefox’s telemetry. Mozilla’s Public Data Report reveals that a measurable share of Firefox users remain on Windows 7, 8, or 8.1, as well as older macOS releases. While precise percentages fluctuate, the numbers are large enough that leaving those users without browser-level security updates would create a significant risk vector.
For Mozilla, the calculus pits public safety against escalating engineering costs. Backporting security fixes to an increasingly divergent codebase – one that predates major internal changes in recent Firefox versions – demands dedicated testing infrastructure, QA cycles, and security triage. The company has judged, each time the deadline neared, that the societal benefit of protecting millions of stranded users outweighed the added maintenance burden. The formal re-evaluation in early 2026 suggests this is not an indefinite commitment; it is a conditional safety net.
What This Means for Users on Legacy Systems
Security Updates, Within Limits
Firefox 115 ESR will continue to close known browser-level vulnerabilities, but it cannot compensate for an unsupported operating system. Users should not mistake a patched browser for a secure machine. Critical OS-level flaws in the kernel, drivers, or core services remain unaddressed and exploitable. As one security researcher put it, “A supported browser on an end-of-life OS is like a reinforced door on a crumbling wall.”
Compatibility Erosion
As the web evolves, legacy browsers inevitably drift from modern standards. TLS 1.3 enhancements, new cipher suites, and stricter certificate validation can cause breakage on older clients, even if the browser itself receives security patches. Additionally, Mozilla’s add-on ecosystem has warned that root certificate expirations could temporarily disable legacy extensions if authors do not update signing certificates. Users may face growing friction when accessing newer sites or using certain add-ons.
Practical User Advice
For those still on Windows 7, 8/8.1, or macOS 10.12-10.14, the options are limited but clear:
- Upgrade the OS if at all possible. Moving to Windows 10, Windows 11, or a supported macOS version is the only way to receive full platform and browser security updates. Mozilla itself recommends switching to ESR 128 or the regular Firefox release on a modern OS.
- Migrate to a lightweight Linux distribution if hardware prevents an official OS upgrade. Many older machines run modern Linux distributions comfortably and gain immediate access to a fully supported browser stack.
- If you must stay on a legacy OS, enable Firefox’s automatic updates, prune extensions to trusted ones, and adopt a defense-in-depth posture: use network isolation, least-privilege accounts, and exercise extreme caution with downloads and attachments.
Practical Guidance for IT Administrators
For organizations managing fleets of legacy workstations, the extension buys time but demands action. Administrators should treat March 2026 as a hard deadline unless Mozilla announces another extension. Recommended steps:
- Inventory and classify all devices running legacy OSes. Identify which are exposed to the public internet or handle sensitive data.
- Prioritize upgrades for high-risk endpoints. For those that cannot be upgraded, consider segmenting them into isolated networks or routing traffic through a gateway proxy to add a layer of inspection.
- Enforce ESR policies via Firefox’s enterprise configuration. Use policy templates to ensure machines receive ESR 115 updates and to prevent accidental upgrades to unsupported newer versions that might break compatibility.
- Monitor Mozilla’s release calendar and support documentation for the early-2026 re-evaluation decision and any emergency patch announcements.
The Engineering and Policy Trade-offs
Mozilla’s handling of ESR 115 is a textbook case in long-tail software maintenance. The strengths of its approach are evident:
- Public safety focus: By keeping security backports flowing to a vulnerable user segment, Mozilla reduces the immediate attack surface.
- Transparency: The ESR model and public release calendar provide clear expectations for enterprises and users, unlike the abrupt end-of-support practices of some competitors.
- Data-driven decisions: Telemetry, not arbitrary timelines, governs whether maintenance continues.
But the costs and risks are equally real:
- Technical debt: Maintaining backports on a codebase that diverges further from the mainline with each release cycle increases complexity and the risk of regressions.
- False sense of security: Users may incorrectly assume a patched browser makes their whole system safe, ignoring critical OS-level vulnerabilities.
- Ecosystem friction: Add-on signing, certificate renewals, and web standard evolution create ongoing breakage potential that Mozilla’s security patches cannot address.
Broader Industry Implications
Mozilla’s move stands out because most major browser vendors abandoned legacy OS support years ago. Google Chrome ended support for Windows 7 in early 2023, and Microsoft Edge’s underlying Chromium engine never targeted those platforms after Microsoft’s own end-of-life dates. By maintaining a legacy ESR branch, Mozilla has positioned itself as a crucial safety valve for users stranded on unsupported platforms – but that role is finite and costly.
The ongoing presence of legacy OS installs is an industry-wide reality, not a Mozilla-specific problem. The company’s iterative extensions serve as a bellwether for how application vendors might choose to share the security responsibility when platform vendors step away. While Mozilla’s gesture is commendable, it also highlights the uncomfortable truth that such stopgap measures cannot replace the need for a supported OS.
Conclusion
Mozilla’s extension of Firefox 115 ESR support through March 2026 is a pragmatic, data-backed decision that buys time for users and organizations still clinging to unsupported operating systems. It is not, however, a long-term guarantee or a substitute for modernization. The clock is ticking – and while Mozilla’s engineers continue to patch browser binaries, the larger risk of running an unpatched OS remains. For everyone from home users to enterprise IT administrators, the message is clear: use this extra time to migrate, because eventually, the lifeline will snap.