Previously when their Yubikey 4's were found to be suceptible to the ROCA vulnerability [0], they issued replacements [1] for any customers who had affected devices. I had a few of those devices and they were replaced for free.
I guess that's a disadvantage of having a non-upgradable firmware. They can't fix these devices that are already out in the field.
As I understand it, the ROCA vulnerability is "the secrets generated by a YubiKey may be susceptible to classic cryptographic breaks", something along the level of "the cipher is inherently weak."
This vulnerability, meanwhile, appears to be in the class of "if someone has physical access to your hardware token, and has access to some specialized (expensive) hardware to do side-channel analysis, they might be able to do side-channel on your hardware token." But if someone has physical access to the hardware token... I mean, at that point, most people would consider it compromised anyways and wouldn't expect security guarantees from that point.
This vulnerability, meanwhile, appears to be in the class of "if someone has physical access to your hardware token, and has access to some specialized (expensive) hardware to do side-channel analysis, they might be able to do side-channel on your hardware token." But if someone has physical access to the hardware token... I mean, at that point, most people would consider it compromised anyways and wouldn't expect security guarantees from that point.