Mozilla has once again pushed back the planned retirement date for Firefox 115 Extended Support Release (ESR) on legacy operating systems. The company now commits to delivering critical security patches for Windows 7, Windows 8, Windows 8.1, and macOS 10.12–10.14 through at least March 2026, with a formal review scheduled for February 2026 to decide whether further extensions are needed.

This marks the latest in a series of reprieves for the aging Firefox branch. Originally slated to end support in September 2024, the 115 ESR has already seen its lifespan extended multiple times. Mozilla’s decision underscores the stubbornly persistent user base still clinging to these unsupported platforms, as well as the organization’s pragmatic approach to harm reduction.

Why ESR 115 Exists: A Quick Refresher

When Mozilla shipped Firefox 115 in July 2023, it was the final feature release compatible with pre–Windows 10 desktops and several older macOS versions. Recognizing that millions of users would be left with an unpatched browser, Mozilla steered installations on those systems onto the ESR channel. That channel is designed for stability and long maintenance windows: it limits changes to high-risk security and quality fixes, allowing organizations and individuals to run a predictable, hardened build over an extended period.

Mozilla’s public ESR policy stresses that maintenance focuses on critical security vulnerabilities and occasional emergency backports, not ongoing feature development. In contrast, Google Chrome and Microsoft Edge both dropped support for Windows 7 and 8.x in early 2023, making Firefox the last major browser actively patching security defects for these older Microsoft operating systems.

What the Latest Extension Means

In an update to its release calendar, Mozilla stated: “We decided to extend support for ESR 115 only on Windows 7-8.1 and macOS 10.12-10.14 up to March 2026. We will re-evaluate this decision in February 2026 and announce any updates on ESR 115’s end-of-life then.”

The extension is strictly limited in scope. The ESR 115 branch will receive only security patches and high-impact quality fixes for legacy platforms. No new features, modern platform integrations, or broad functional enhancements will be backported. This is consistent with Mozilla’s ESR policy and repeated communications from the release team.

Mozilla’s choice is driven by telemetry. According to the company’s Public Data Report, Windows 7 alone still accounts for roughly 6.7% of Firefox’s desktop user base — a non-trivial fraction that the organization is unwilling to abandon without a safety net. While that figure can fluctuate, it represents millions of devices that would otherwise be browsing the web with an unpatched browser.

The Engineering Cost of Backporting

Maintaining a legacy branch is not free. Over time, the main Firefox codebase adopts modern platform APIs, updated cryptography stacks, and new tooling that simply cannot be shoved into an older ESR fork. Backporting a security patch often requires:

  • Recreating or maintaining legacy build and test images.
  • Rewriting fixes to avoid modern APIs and dependencies absent on old OSes.
  • Additional QA cycles to prevent regressions on legacy drivers or system libraries.

Mozilla engineers have described this growing divergence as “increasingly painful,” which explains why each extension is deliberately short and time-boxed. The organization is effectively performing surgical security triage, not a full maintenance commitment.

Firefox vs. Competitors: Who Dropped Support and When

To appreciate the significance of Mozilla’s move, consider the timeline of legacy OS support among major browsers:

  • Google Chrome: The Chromium project removed Windows 7 and 8.1 support with Chrome 110 in early 2023. Users on those OSes have received no further security updates from Chrome since then.
  • Microsoft Edge: Edge 109 was the final version to support Windows 7 and 8.1. Version 110 and later require Windows 10 or higher, aligning with Microsoft’s own OS lifecycle changes in January–February 2023.
  • Mozilla Firefox: Through the ESR mechanism, Firefox continues to patch critical vulnerabilities, leaving it as the sole mainstream browser still delivering security backports for these aging Windows versions.

This unique position has made each extension highly visible to both users and industry observers, and it places Firefox in the role of a de facto safety net for a sizable population that cannot or will not upgrade.

What ESR 115 Will — and Won’t — Fix

The scope of the 115 ESR maintenance is explicit and narrow:

Will be patched:
- High-severity security vulnerabilities in the Firefox application code that can be safely backported.
- Emergency fixes for in-the-wild exploitation scenarios deemed critical by Mozilla’s security teams.

Will not be patched:
- New features or performance enhancements.
- Operating system–level vulnerabilities, including kernel exploits, unpatched drivers, or system services.
- Deep dependency upgrades that rely on modern platform APIs unavailable on legacy systems.

This means that while ESR 115 reduces the immediate risk of browser-based attacks, it does nothing to harden the underlying operating system. Unpatched Windows 7 or 8.1 machines remain exposed to a wide array of known exploits that a browser patch cannot address.

Risks and Recommendations for Legacy Users

For users stuck on Windows 7, 8, or 8.1, the extension buys valuable time — but it is not a permanent fix. The residual risk is significant: with Microsoft no longer issuing OS security updates, critical vulnerabilities in SMB, RDP, and other system components remain wide open. Mozilla itself strongly recommends upgrading to Windows 10, Windows 11, or a supported Linux distribution for long-term safety.

Immediate steps for those who must remain on legacy platforms:

  1. Verify your Firefox build. Confirm you are running Firefox 115 ESR. Only the ESR channel receives the targeted security patches Mozilla will continue shipping.
  2. Harden the endpoint. Run a reputable endpoint protection product, disable unnecessary services, use strong network segmentation, and apply application whitelisting where feasible.
  3. Plan an upgrade path now. Treat March 2026 as a hard deadline for completing OS migrations. Evaluate alternatives such as lightweight Linux distributions (e.g., Linux Mint, Ubuntu LTS) if hardware upgrades are not viable.

What IT Teams Must Do

Enterprise IT departments should treat this extension as a stopgap, not a strategy. The recommended action plan includes:

  • Inventory all devices still running Windows 7/8/8.1, and flag which ones are tied to business-critical applications.
  • Prioritize remediation: public-facing machines and users with elevated privileges should be upgraded first.
  • Plan migration paths:
  • Upgrade hardware and move to Windows 10 or 11 where possible.
  • Where hardware is too old, evaluate supported Linux distributions as pragmatic alternatives.
  • Use Firefox 115 ESR security updates to buy time, but not as a permanent crutch.
  • Monitor Mozilla’s communications for any changes following the February 2026 re-evaluation that could shorten or extend the timeline.

A Pattern of Extensions

The extension to March 2026 is not the first, and history suggests it may not be the last. Mozilla has repeatedly pushed back the retirement date for ESR 115. The original end-of-life was set for September 2024, then moved to early 2025, and now to March 2026. Each time, the organization cites the persistent user base and the desire to reduce near-term risk. However, the explicit re-evaluation windows (every six months, with the next in February 2026) indicate a deliberate strategy to time-box the commitment and prevent indefinite legacy maintenance.

Users and administrators should not bank on another extension. The February 2026 re-evaluation could result in a final cutoff, especially as the engineering burden grows and the legacy user share gradually declines. Mozilla has been clear that support is conditional and could end after March 2026.

The Bigger Picture: Harm Reduction vs. Complacency

Mozilla’s approach is a textbook case of risk triage. By continuing to patch browser-level vulnerabilities, the organization is reducing the most immediate attack surface for millions of users. For those who truly cannot upgrade — whether due to locked-down legacy applications, hardware constraints, or procurement cycles — a patched Firefox is materially safer than an unpatched one.

But the extension also carries a downside: it may encourage complacency. Organizations that might otherwise be forced to accelerate OS upgrades now have another 18 months of breathing room. That breathing room, however, comes with the hidden cost of prolonged exposure to unpatched OS-level flaws. As Mozilla itself warns, even a fully patched browser cannot close the security gaps left by an unsupported operating system.

The Road Ahead: February 2026 and Beyond

For now, the timeline is clear:

  • Now through March 2026: Firefox 115 ESR continues receiving security-only updates on Windows 7/8/8.1 and macOS 10.12–10.14.
  • February 2026: Mozilla will re-evaluate and announce definitive end-of-life plans for the branch.

After March 2026, support could cease entirely, leaving anyone still on these legacy OSes without any browser security updates. Given that no other major browser supports these platforms, the stakes are high.

Mozilla’s decision is a concrete example of pragmatic risk management: a targeted safety net for a non-trivial user base, bounded in scope and time, and explicitly designed to encourage migration rather than perpetuate dependency. Users and organizations alike should use this window wisely. The clock is ticking louder than ever.