I am not in IT so i do not understand these issues well.
I know that Debian has older libraries and packages and some CVEs do not get patched.
Since Firefox, installed as a deb, relies on system libraries, does that mean it is less secure tha if installed on more up to date distro like Fedora? Or the security of Firefox is the same?
Yes and I’m also pretty sure Debian Firefox itself is on a earlier version
It seems CVEs do get backported but patches without CVE IDs (apparently common in less popular software) may not get patched except in major updates every 2 years. If you install Firefox from Mozilla’s repository (which is Mozilla’s recommended way to install it on Debian) you can cut out the Debian package maintainer middle-man. As for your question on system libraries, I’m not too sure. If you’re really concerned with staying more up-to-date while remaining on a stable distro, I’d encourage you to switch to Fedora.
Very consistently, the Debian team is rather serious about security, and known security fixes are backported. Where some people (myself included) may raise some concerns are in the case where some bugfixes might turn out to also patch out a security flaw but wasn’t marked as such for an assortment of possible reasons. This, in turn, would lead to users of some libraries to be exposed temporarily to potential issues which users of more up-to-date libraries are protected from.
The case for Firefox has some slightly different risks. IIRC, Firefox ESR (the edition used in Debian stable) backports security fixes for issues marked “high” and “critical”, but not for other fixes. This is a policy from the Firefox team themselves, though I’m not aware if the Debian side performs some additional work for security.