Ok so two things. Firefox ESR and mainline.
If you are on an unsupported version of ubuntu, like my web server which hosts other peoples stuff, and cannot upgrade. You can keep the kernel up-to-date with mainline.
https://github.com/bkw777/mainline/releases/
It parses the ubuntu kernels from the from the Ubuntu archive and lets you select one and it installs it.
As the web site says “Few things can compromise the security of a Linux system worse than a compromised kernel“
https://wiki.ubuntu.com/Kernel/MainlineBuilds
If you are going to be surfing the web on that machine it’s a good idea to also run firefox ESR.