When it
comes to an updated browser, the exploit relies upon very precise
timing differences between operations -- if the browser won't report
timing with enough precision, then the exploit cannot work reliably if
at all (probably not at all).
Now as for TB, well, one would hope (I don't now the answer), that
they too have implemented the same fixes that Mozilla made for Firefox
to thwart the success of an exploit as well, ie have timing being less
granular to be able to perform the exploit.
Anyway, if the CPU microcode can be attained for the older CPUs, then
the licensing issue with Debian providing it is no longer a concern (I
believe). Refer https://01.org/mcu-path-license-2018