[tptacek]

Sorry, I thought I had written a longer comment but got distracted, so that came out sharper than I meant.

I agree. Notice is good. But all sorts of pressures interfere with notice, like embargoes, multiple stakeholders, threat intelligence, IR and active exploitation, and so on.

The important thing is to close the vulnerability. Everything else is distantly secondary.

Also, and respectfully: it is not so much Mozilla's job to know the maintenance status of Google Javascript libraries so much as it is Google's responsibility not to ship Javascript code (or extensions) that make Mozilla insecure.