TL;DR: According to NIST CPE Dictionary there is no Firefox 118 branch. So it can't be vulnerable and all your security scanners won't see all the CVE's in it.
The CPE Dictionary (Common Platform Enumeration) is a structured naming scheme for identifying and describing classes of applications, operating systems, and hardware devices within an information technology (IT) environment. It is part of a suite of specifications that aim to standardize the way IT assets are identified and managed, facilitating interoperability and improving security.
Who Creates and Maintains the CPE Dictionary? The CPE Dictionary is created and maintained by the National Institute of Standards and Technology (NIST), a part of the U.S. Department of Commerce. NIST provides and supports the CPE Dictionary as part of its mission to enhance the security and resilience of the nation's cyber infrastructure.
The development and upkeep of the CPE Dictionary involve the following steps:
Development of Standards: NIST collaborates with industry experts, cybersecurity professionals, and other stakeholders to develop and refine the CPE standards.
Updating the Dictionary: NIST regularly updates the CPE Dictionary to include new platforms, technologies, and products. This involves a review and validation process to ensure accuracy and comprehensiveness.
Community Contributions: While NIST oversees the CPE Dictionary, contributions and suggestions from the broader IT and cybersecurity communities are encouraged. These contributions help keep the dictionary up-to-date and relevant. The primary purpose of the CPE Dictionary is to provide a common language for identifying IT products and platforms. This standardization is crucial for vulnerability management.
CPE consists of three main components:
CPE Name Format (CPE Name): Defines the syntax and structure of names used to identify IT products and platforms.
CPE Dictionary: A repository of standardized CPE names, each representing a specific product or platform.
CPE Matching: Methods and algorithms used to match CPE names to actual IT assets, enabling automated identification and management.
Latest CPE Dictionary from NIST https://nvd.nist.gov/products/cpe
Name: official-cpe-dictionary_v2.3.xml
Size: 591753032 bytes (564 MiB)
SHA256: 570354C877506750E7935643DF64D1100E6225785D3EA17926AC46AD0AD2E47A
What does it do? It tracks existing software versions as CPE Name. When a CPE specifies a pattern of a vulnerable software version as "<122 Excluding 122", the filter goes through this CPE Name Dictionary, and all existing versions in this dictionary that match the specified criterion are interpolated, extracted, displayed or used in scans.
In this dictionary, there simply isn't a CPE Name for Firefox 118 branch. It has only 117 and 119 and so on. This means that when all your scanners scan the system for CVEs, they work with the already expanded CPE Names expanded from this Dictionary. Since there is no branch for Firefox 118, it means there are no vulnerabilities listed for it.
Another example from Mozilla is when a bug explicitly states that it pertains to version 118 and will not be fixed in 118: https://bugzilla.mozilla.org/show_bug.cgi?id=1830820.
Meanwhile, in the CPE section at NIST for CVE-2023-5721 only version 117 is listed: https://nvd.nist.gov/vuln/detail/CVE-2023-5721#range-13003528
This is the case for all FF (Firefox) bugs that have been found since the release of FF 118, including those found today, and there are plenty of them. Report was sent to NIST using E-mail address cpe_dictionary@nist.gov