Mozilla can fix some bugs in Firefox without issuing a new version, by instead publishing a hotfix add-on. Hotfixes cannot be used to fix arbitrary bugs. They cannot fix a broken algorithm, but a hotfix can for example disable a new feature if that causes to many problems.
A hotfix was used by Mozilla in February 2015 to fight the superfish malware, by disabling its certificate.
Another hotfix was deployed in August 2015 to disable the new feature "async plugin init", because it was incompatible with some flash content, most notably Farmville.
Installing hotfixes happens even when automatic updates are disabled. They instead follow the rules for the update of add-ons. The default setting for add-on updates is to check every 24 hours, and update automatically with no questions asked.
This can be undesired in corporate environment, where IT has the obligation to test all new software versions before they are deployed.
Hotfixes do not follow the normal release schedule, and are not listed in release notes. They are not officially announced like new versions, and do not modify the version number of Firefox. Hotfix add-ons run in the background without showing any visible sign. They automatically remove themselves after they have run, thus they cannot be seen in the list of installed add-ons.
Firefox has a hardcoded add-on id for hotfixes. Always when it checks for add-on updates, it also checks for this specific add-on id. If a new hotfix is found, Firefox downloads and runs it.
List of hotfixes so far: https://hg.mozilla.org/releases/firefox-hotfixes/file/tip/README
The list of automatic connections does mention automatic add-on updates, but says nothing about hotfixes.