• Pale Moon 28.16.0

    mattatobin 1 week ago 0 commits to release since this release

    This is a development and security update to the browser.

    Note for Linux users: With CentOS 6 going end-of-life, this version will be the last for which we will be building 32-bit Linux official binaries to download. While your distribution may choose to continue offering 32-bit versions of the browser, built from source by the maintainers, we won’t be offering any further official 32-bit Linux binaries on our website. Please check with your distribution’s package maintainers to know if further 32-bit support will be available on your particular flavor of Linux.


    • Aligned CSS tab-size with the specification and un-prefixed it.
    • Updated Brotli library to 1.0.9.
    • Updated JAR lib code.
    • Optimized UI code, resulting in smaller downloads and less space consumed on disk.
    • Changed the default Firefox Compatibility version number to 68.0 (since versions ending in .9 makes some frameworks unhappy, refusing access to users)
    • Cleaned up HPKP leftovers.
    • Disabled the DOM filesystem API by default.
    • Removed Phone Vibrator API.
    • Fixed an issue where the software uninstaller would not remove the program files it should.
    • Fixed a devtools crash related to timeline snapshots.
    • Fixed an issue in Skia that could cause unsafe memory access. [DiD]
    • Fixed several data race conditions. [DiD]
    • Fixed an XSS vulnerability where scripts could be executed when pasting data into on-line editors.
    • Linux: Fixed an overflow issue in freetype.
    • Security issues addressed: CVE-2020-26960, CVE-2020-26951, CVE-2020-26956, CVE-2020-15999 and several others that do not have a CVE designation.
    • Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 4 defense-in-depth, 3 rejected, 20 not applicable.

    Implementation notes:

    • Windows binaries should all be properly code-signed again.
    • The uninstaller issue might only appear if you have not used the internal updater to update the browser after installation.
    • The DOM Filesystem and dir picker APIs are, in practice, not used on websites. We’ve disabled these web-exposed APIs because they are not entirely without potential risk, and intend to remove them in a future version unless there is a demonstrable need to keep them as optional (unsupported) APIs in the platform.
    • One of the rejected security patches deals with entering a single word in the address bar. Standard browser behavior in that situation is for browsers to do a normal network lookup of that word in case it is a LAN machine name (other browsers also do this) which may “leak” your entered search term to the LAN. If you want to avoid this, please always use the search box for entering web searches, as it’s unambiguous what to do with single words in that case.

    Built with the Unified XUL Platform - November 24, 2020 release.

  • 1 week ago
  • Pale Moon 28.15.0

    Moonchild 1 month ago 7 commits to release since this release

    This is a standard development and bugfix release.


    • Implemented support for CSS caret-color.
    • Implemented support for un-prefixed ::selection CSS pseudo-element styling.
    • Fixed another potential crashing scenario in ResizeObservers.
    • Fixed several crashes in the DOM Fetch API.
    • Fixed a crash in table pagination.
    • Security issues fixed: CVE-2020-15680 (VG-VD-20-115) and several memory safety hazards.
    • Unified XUL Platform Mozilla Security Patch Summary: 1 fixed, 2 defense-in-depth, 12 not applicable.

    Built with the Unified XUL Platform - October 24, 2020 release.

  • 1 month ago
  • Pale Moon 28.14.2

    wolfbeast 2 months ago -24 commits to master since this release

    This update fixes a few important issues.


    • Fixed some additional crashes caused by the ResizeObserver API. This should take care of all crashes that have been attributed to this new code.
    • Fixed erroneous parsing of CSS percentages as number values.
  • Pale Moon 28.14.1

    wolfbeast 2 months ago -23 commits to master since this release

    This update addresses an intermittent crash in the newly-implemented ResizeObserver API (introduced in 28.14.0) occurring on a number of high-profile and often-used websites.

  • Pale Moon 28.14.0

    mattatobin 2 months ago -22 commits to master since this release

    This is a development and security update.

    • Updated the browser identity code for website security to more clearly indicate website status.
      A detailed explanation is available on the forum and beyond the scope of these release notes.
    • Updated unofficial branding to be more generic and more clearly separate unofficial builds from Pale Moon as a product.
      Please note that this goes hand in hand with an update of our redistribution license, and from this point forward any “New Moon” products are to be considered separate, and not unofficial Pale Moon builds or in any way related to or affiliated with Pale Moon, despite the similarity in name.
    • Added a preference (signon.startup.prompt) to give users the option to ask for the Master Password the moment the application starts (before the main window opens). This allows a workaround for getting multiple Master Password prompts if individual components need access to the password store at the same time.
    • Changed the way download sources are displayed to always use the actual domain downloads are from. In some situations the browser would previously display the domain of the referring page in an inconsistent fashion.
    • Implemented the ES2019 Object.fromEntries() utility function.
    • Implemented the CSS flow-root keyword.
    • (Re-)implemented percentage-based CSS opacity values according to the updated spec.
    • Implemented the last few missing bits for a standards-compliant implementation of JavaScript modules.(preloading, resource: scheme, etc.)
    • Implemented the ResizeObserver DOM API.
    • Fixed a null crash on some websites using CSS clip paths.
    • Updated script handling inside SVGs to only run scripts if they are enabled and permitted, avoiding a potential XSS pitfall.
    • Fixed several memory safety hazards and crashes.
    • Updated the MediaQueryList interface to the updated spec. It now inherits from EventTarget and implements AddEventListener/RemoveEventListener in addition to AddListener/RemoveListener and should improve web compatibility for some sites.
    • Removed support for the archaic and non-standard <marquee> element.
    • Removed some leftovers from the discontinued plugin update checker service.
    • Removed some internal HPKP implementation leftovers.
    • Cleaned up the Windows widget code to reduce potentially vulnerable direct-dll loads.
    • Security issues fixed: CVE-2020-15676 and CVE-2020-15677
    • Unified XUL Platform Mozilla Security Patch Summary: 2 fixed, 1 defense-in-depth, 7 not applicable.

    Built with the Unified XUL Platform - September 29, 2020 release.

  • 2 months ago
  • 2 months ago
  • Pale Moon 28.13.0

    mattatobin 3 months ago -5 commits to master since this release

    This is a compatibility, bugfix and security update. Special thanks to our new code contributors this cycle (you know who you are)!


    • Updated the included site-specific user-agent overrides for a number of websites that need them.
      Rewritten the browser’s padlock code to use more modern APIs and provide more accurate security status indication.
    • Now also with localized tooltips!
    • Fixed a missing close button on the undo prompt after removing a thumbnail from the QuickDial new tab page.
    • Fixed an issue with the alternative stylesheet menu in the browser’s UI not working.
    • Implemented the use of intrinsic aspect ratios for images to improve layout during load and page positioning.
    • Added a preference to the use of node.getRootNode and disabled by default. See implementation notes.
    • Added CSS -webkit-appearance as an alias for -moz-appearance to improve compatibility with websites that only try to use Chrome-specific keywords to style standard form elements.
    • Updated the SQLite library to 3.33.0.
    • Reinstated precise floating point precision model in JavaScript for those alternate builders who foolishly try to use the inaccurate “fast” model.
    • Improved spec compliance of modular JavaScript use (ECMAScript modules).
    • Changed media errors to be a more generic response, and added a preference (media.sourceErrorDetails.enabled) to enable detailed error reporting of media errors for debugging purposes.
      Previously, detailed errors were provided by default which could lead to privacy issues.
    • Improved code stability of the AbortController implementation.
    • Fixed a race condition in the secure connection library (NSS).
    • Security issues fixed: CVE-2020-15664, CVE-2020-15666, CVE-2020-15667, CVE-2020-15668 and CVE-2020-15669.
    • Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 1 defense-in-depth, 1 rejected, 9 not applicable.

    Implementation notes:

    • In 28.11.0 we introduced node.getRootNode because some websites would fail with an error if this function was not present. Unfortunately, this caused problems with other sites that (incorrectly) assume Google WebComponents are available when this utility function is present (feature detection gone wrong). While it is considered by some to be part of the Google WebComponents implementation, it actually has utility value outside of that use. Because of the problems caused, we’ve added a preference and disabled it by default, fixing these kinds of websites.

      When needed, you can re-enable this function with dom.getRootNode.enabled

      This should improve web compatibility by default yet still allow users to enable this function for websites that use its utility but do not use WebComponents.

    Built with the Unified XUL Platform - September 1, 2020 release.

  • Pale Moon 28.12.0

    wolfbeast 4 months ago 20 commits to master since this release

    This is a development, bugfix and security update.


    • Added controls for WASM to the browser’s preferences, and enabled by default.
    • Enabled various arbitrarily-disabled CSS functions.
    • Added the use of basic path descriptors (i.e. polygon) to css clip paths.
    • Implemented multithreaded request signal handling for the Abort API. Please see implementation notes below.
    • Updated the included US-English dictionary, adding approximately 2500 additional words.
    • Removed the DOM battery API. This was already disabled for privacy reasons for a long while.
    • Fixed an erroneous warning displayed on toolkit-only add-ons like supplied dictionaries.
    • Fixed an issue with the sessionstore tab load preference.
    • Improved the generation of the names of downloaded files to prevent confusion. (CVE-2020-15658)
    • Fixed a code issue with base64 encoding of data.
    • Fixed 2 safety hazards in JavaScript. (One being CVE-2020-15656) DiD
    • Fixed a spec compliance issue with regards to the cross-origin loading of scripts. (CVE-2020-15652)
    • Improved the loading of a system DLL on Windows, preventing low-risk hijacking potential. (CVE-2020-15657) See implementation notes.
    • Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 2 defense-in-depth, 15 not applicable.

    Implementation notes:

    • In 28.11.0, we introduced the Abort API as new code. The implementation of it still had an issue where especially web workers would not always see the availability of abort signals on fetch requests while AbortSignal was implemented in the browser. This effectively made some websites (especially those using a particular polyfill for the Abort API that would detect the need to polyfill by way of Request.signal) throw errors that were fine before. We offered users a workaround by temporarily disabling the AbortController in the browser by way of a preference (dom.abortController.enabled).
      v28.12.0 fixes the multi-threaded handling of signals, which should solve these problems. As such, the workaround is no longer needed and upon upgrade the preference will be reset to enable AbortControllers again.
    • DLL-hijacking on Windows would only be possible if a malicious actor already either gained administrative access to the program’s installation folder or otherwise have unrestricted access to the program folder (by having it installed in local application folders inside the user’s profile space or other insecure program locations). In that case the system is already compromised and any executable can be replaced, so having dll loading hijacked would be the least of your concerns (i.e. the main program .exe could also be replaced/infected in that case).

    Built with the Unified XUL Platform - July 30, 2020 release.

  • Pale Moon 28.11.0

    wolfbeast 4 months ago 31 commits to master since this release

    This is a development, bugfix and security update.


    • Changed storage format for certificates and passwords to SQLite.
    • Added a preference (browser.tabs.insertAllAfterCurrent) to enable always adding new tabs after the current tab, whether related or not.
    • Changed the way Firefox extensions are displayed in the add-on manager (provide a clear warning).
    • Denied other types of add-ons that aren’t explicitly targeting Pale Moon’s ID.
    • Improved the browser’s DPI-awareness to be per-monitor instead of system-wide, on supported Windows operating systems.
    • Updated bookmark backups code with the other half of what should have been done way back when, so they work fully as-intended.
    • Added a preference (browser.bookmarks.editDialog.showForNewBookmarks) to enable immediately showing the edit dialog for new bookmarks.
      If set to true, clicking the star in the address bar will pop open the edit dialog immediately for changing details/sorting.
    • Fixed the useragent string in native mode, and updated UA code to properly respond to live changes to some preferences.
    • Tidied up front-end browser JavaScript.
    • Changed the way sources are compiled (on-going de-unification).
    • Improved compatibility with gcc v10
    • Removed support for the obsolete and unmaintained NVidia 3DVision stereoscopic interface.
    • Fixed some build issues in non-standard configurations.
    • Fixed wrong positions when calculating the position for position:absolute child inside a table.
    • Aligned file name extension of saved url files with other applications (lower case)
    • Fixed building with --disable-webspeech (to disable speech synthesis)
    • Added global menubar support for GTK.
    • Implemented node.getRootNode
    • Implemented AbortController (Abort API)
    • Improved the uninstaller to use elevation when prudent and actually remove program files.
    • Fixed a rare issue with editable page content.
    • Fixed a crash related to ES module scripts.
    • Aligned ES module scripting better with the current spec and removed eager instantiation.
    • Fixed a potential issue with the JPEG encoder. (CVE-2020-12422) DiD
    • Fixed a potential issue with AppCache manifests. DiD
    • Fixed a potential crash in JavaScript date parsing.
    • Fixed a problem with RSA key generation that would make it potentially vulnerable to side-channel attacks. (CVE-2020-12402)
    • Fixed a potential crash due to multithread race condition. DiD
    • Fixed a correctness issue in URL handling. (CVE-2020-12418) DiD
    • Unified XUL Platform Mozilla Security Patch Summary: 2 fixed, 4 defense-in-depth, 10 not applicable.

    Built with the Unified XUL Platform - July 12, 2020 release.

  • Pale Moon 28.10.0

    wolfbeast 6 months ago 128 commits to master since this release

    This is a development, bugfix and security update.


    • Implemented URLSearchParams’ sort() function
    • Implemented ES2020 globalThis for web compatibility
    • Improved our WebM media parser to be more tolerant to different encoding styles.
    • Improved our MP3 media parser to be more tolerant to different encoding styles and particularly tiny files/stream chunks.
    • Improved performance of table drawing for more corner cases
    • Changed the way images without a src are handled in page layouts to align with the Chrome-pushed spec.
    • Added modern MIPS support
    • Split out the ICU data file from xul.dll on Windows
    • Fixed a regression in WebAudio channel handling due to a landed security fix.
    • Fixed a regression preventing scripting from properly disabling input controls
    • Fixed an issue with border radius sometimes not being honored in tables
    • Fixed some build issues in non-standard configurations.
    • Removed more telemetry code
    • Removed the in-browser speech recognition engine and API
    • Removed support for the obsolete and unmaintained NVidia 3DVision stereoscopic interface.
    • Changed handling of braille blanks in the ui (CVE-2020-12409) DiD
    • Mitigated a potential timing attack against DSA keys in NSS (CVE-2020-12399)
    • Unified XUL Platform Mozilla Security Patch Summary: 1 fixed, 1 defense-in-depth, 8 not applicable.

    Built with the Unified XUL Platform - June 3, 2020 release.

  • Pale Moon 28.9.3

    mattatobin 6 months ago 132 commits to master since this release

    This is a security update.

    • Fixed a potential vulnerability in the zip file reader. DiD
    • Fixed a potential vulnerability in the JavaScript JIT compiler related to aliases. DiD
    • Ported several upstream devtools fixes (addresses CVE-2020-12392 and CVE-2020-12393).
    • Improved memory safety of some WebAudio calls.
    • Improved memory safety in the XUL window destructor. DiD
    • Unified XUL Platform Mozilla Security Patch Summary: 3 fixed, 3 Defense-in-depth, 16 not applicable.

    Built with the Unified XUL Platform - May 6, 2020 release.

  • Pale Moon 28.9.2

    mattatobin 7 months ago 134 commits to master since this release

    This is a minor update for stability and compatibility.

    • Re-based the 28.9 version of browsers on a separate development branch that excludes the extensive work being done for Google WebComponents, to avoid potential performance and stability issues caused by as-of-yet incomplete and in-progress code for the new milestone.
    • Enabled DOM High Resolution timestamps for compatibility with websites that strictly rely on them for operation.
    • Added a preference to allow copying the unescaped URL from the address bar (especially useful for internationalized domain names and paths).
      To enable this, set browser.urlbar.decodeURLsOnCopy to true in about:config
    • Fixed several application crashes (thanks, Fysac!)

    Built with the Unified XUL Platform - April 27, 2020 release.

  • Pale Moon 28.9.1

    mattatobin 7 months ago 139 commits to master since this release

    This is a minor security and bugfix release.

    • Re-imported the ExtensionStorage js module for use by browser extensions.
    • Fixed an issue with the WebRequest module having erroneously un-processed build directives in it. This might have caused some subtle breakage.
    • Removed the use of high-resolution Windows system timers from the layout refresh driver; this should help with some performance and battery life issues.
    • Fixed an issue where various parts of hardware acceleration weren’t properly linked when changing the option from preferences.
    • If you have changed the preferences option to “use hardware acceleration when available” between 28.9.0 and this release, it is recommended that you go into preferences and toggle the option off/on to the preferred setting to correct any discrepancies.
    • Fixed an issue with building the user-agent string using the build date as ID.
    • Fixed an issue with the release of document content viewers (CVE-2020-6819). DiD
    • Fixed an issue with handling functions with rest parameters. DiD

    Unified XUL Platform Mozilla Security Patch Summary: 2 Defense-in-depth, 14 not applicable.

    Built with the Unified XUL Platform - April 8, 2020 release.

  • Pale Moon

    wolfbeast 8 months ago 142 commits to master since this release

    This is a small bugfix update addressing 2 more important issues in 28.9.0:

    • Fixed an issue with browser migration and initialization code causing various browser run-time problems.
    • Fixed an issue with cache behavior where some users would have trouble having their windows and tabs restored in “soft refresh” mode (see v28.9.0 release notes).
      To solve this, we reverted to the previous (pull from cache) mode for now while we investigate the cause.

    Built with the Unified XUL Platform - March 24, 2020 release.

  • Pale Moon

    wolfbeast 8 months ago 145 commits to master since this release

    This is a small update to address a problem with user-agent overrides not working as-intended for some people.

    Built with the Unified XUL Platform @ RELBASE_20200324

  • Pale Moon 28.9.0

    wolfbeast 8 months ago 148 commits to master since this release

    This is a major development update.

    New features:

    • Implemented asynchronous iterators (await and for await loops) (ES2018)
    • Implemented promise-based media playback.
    • Implemented non-standard legacy CSSStyleSheet rules functions.
    • Implemented the html5 <dialog> element. To switch this on, flip dom.dialog_element.enabled to true.
    • Implemented the optional hiding of pinned tabs in CtrlTab/AllTab panes. (controlled through the preferences browser.ctrlTab.hidePinnedTabs and browser.allTabs.hidePinnedTabs)
    • Added 1.25x playback speed to html media elements.
    • Added a hidden pref (browser.places.smartBookmarks.max) to control the sizes of default smart bookmarks categories.


    • Aligned with the overhauled specification.
    • Aligned the way DOM styles are computed with mainstream browser behavior.
    • Removed the (unused) DOM promise implementation.
    • Enabled seeking to next frame in media files.
    • Enabled dynamic UA updates for emergency use.
    • Implemented rule processing stub for font-variation-settings.
    • Increased the maximum XML nesting depth to 2048 levels for extreme corner cases and to conservatively align with other browsers.
    • Improved the privacy of geolocation lookup calls, with thanks to a generous service donation from
    • Improved reporting of the operating system in site-specific user-agent overrides.
    • Improved table drawing performance again after the rewrite for sticky positioning making it slower.
    • Updated CSP processing to allow custom scheme wildcards to be specified without a port.
    • Aligned the behavior of outlines with other browsers when dealing with CSS-repositioned elements.
    • Changed the way hardware acceleration is controlled from the application.
    • Changed the default monospace font for main languages from Courier New to Consolas.
      This provides a more balanced font for fixed-width text that is slightly more condensed and more in line with the naturally compacter variable-width fonts used everywhere else.
    • Changed the browser’s behavior when restoring tabs from previous sessions. To prevent stale pages, it will now by default perform a “soft refresh” of the page instead of drawing it purely from cache without checking if the page needs updating. If you prefer the old behavior, set browser.sessionstore.cache_behavior to 0 in about:config.
    • Updated NSPR to 4.24 and NSS to ~3.48.1-RTM, removing the previous custom patch level with NSS being able to support custom rounds for DBM now.
      For extensive release notes with all NSS changes, see NSS_Releases
    • Implemented an NSS performance optimization for Master Password use with limited effect.
    • Fixed some potential crashing scenarios with WebGL on Linux.
    • Completely removed showModalDialog.
    • Disabled some logging in production builds.
    • Removed various gadgeteering/redundant/dead DOM APIs (casting/presentation, FlyWeb)
    • Removed support for a number of critical libraries being system-supplied.
    • Removed “Copy raw data” button from the troubleshooting information page, since it’s never used by us in that format, and users mistakenly keep using it instead of copying text.
    • Removed a bunch of Android and iOS support code.
    • Fixed an issue with form elements sometimes being incorrectly disabled.
    • Fixed several crashes.
    • Fixed an issue with Captive Portal detection sometimes firing even when disabled by the user.
    • Performed various tree-wide code cleanups.
    • Backed out a large code cleanup patch for causing subtle issues in website operation (e.g. WordPress). This will have to be revisited later; the reintroduced code is not in use in practice.
    • Cleaned up the application updater code.

    Security-related fixes:

    • Fixed a potential pointer issue issue in cubeb. DiD
    • Disabled allowing remote jar: URIs by default for security reasons. If you need this functionality for your non-standard environment, you can enable it with the preference network.jar.block-remote-files, but please consider moving away from this method of providing web-based applications.
    • Removed a potentially dangerous and otherwise ineffective optimization from the JavaScript engine.
    • Fixed unwanted behavior where created/focused pop-up windows could potentially cover the DOM fullscreen notification, hiding it from users. (CVE-2020-6810)
    • Fixed an issue where copying data as a curl request from developer tools would not properly escape parameters. (CVE-2020-6811)
    • Updated our sctp library code with several upstream fixes.
    • Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 3 already mitigated, 1 rejected, 11 not applicable.
  • Pale Moon 27.9.4

    wolfbeast 2 years ago 246 commits to master since this release

    This will be the final maintenance release of Pale Moon 27 on the “Tycho” platform. Do not expect any further updates.

    This is a security and usability update.


    • Updated the useragent for to work around their “Only with Firefox” discrimination preventing users from downloading themes, old versions of extensions, and other files with Pale Moon.
    • Restricted web access to the moz-icon:// scheme that could potentially be abused to infringe the user’s privacy.
    • Prevented various location-based threats. DiD
    • Fixed a potential vulnerability with plugins being redirected to different origins (CVE-2018-12364).
    • Improved the security check for launching executable files (by association) on Windows from the browser. For users who have (most likely accidentally) granted a system-wide waiver for opening these kinds of files without being prompted, this permission has been reset.
    • Fixed an issue with invalid qcms transforms (CVE-2018-12366).
    • Fixed a buffer overflow using the computed size of canvas elements (CVE-2018-12359).
    • Fixed a use-after-free when using focus() (CVE-2018-12360).
    • Added some sanity checks on nsMozIconURI. DiD
    • Fixed an issue in the case the preferences file in the profile would not be writable (e.g. temporary permission issues due to backup, virus scanning or similar external processes).

    DiD This means that the fix is “Defense-in-Depth”: It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

  • Pale Moon 27.9.3

    wolfbeast 2 years ago 261 commits to master since this release

    This is a security update.


    • (CVE-2017-0381) Ported a patch from libopus upstream. Note, contrary to that report, the libopus maintainers state they don’t believe remote code execution was possible, so this was not a critical patch.
    • Fixed an issue with task counting in JS GC.
    • Fixed a use-after-free in DOMProxyHandler::EnsureExpandoObject (thanks to Berk Cem Göksel for reporting).
    • Portable only: Included the previously omitted registry helper. This may in some cases help with file/type associations.
  • Pale Moon 27.9.2

    wolfbeast 2 years ago 271 commits to master since this release

    This is a security and stability update.


    • We changed the language strings for softblocked items so people will cry less when we do our job.
    • (CVE-2018-5174) Prevent potential SmartScreen bypass on Windows 10.
    • (CVE-2018-5173) Fixed an issue in the Downloads panel improperly rendering some Unicode characters, allowing for the file name to be spoofed. This could be used to obscure the file extension of potentially executable files from user view in the panel.
    • (CVE-2018-5177) Fixed a vulnerability in the XSLT component leading to a buffer overflow and crash if it occurs.
    • (CVE-2018-5159) Fixed an integer overflow vulnerability in the Skia library resulting in possible out-of-bounds writes.
    • (CVE-2018-5154) Fixed a use-after-free vulnerability while enumerating attributes during SVG animations with clip paths.
    • (CVE-2018-5178) Fixed a buffer overflow during UTF8 to Unicode string conversion within JavaScript with extremely large amounts of data. This vulnerability requires the use of a malicious or vulnerable extension in order to occur.
    • Fixed several stability issues (crashes) and memory safety hazards.
  • Pale Moon 27.9.1

    wolfbeast 2 years ago 287 commits to master since this release

    This is a maintenance release.


    • Removed the unused/incomplete places protocol handler.
    • Worked around an issue with MSE media without a Track ID. This should help with the playability of some live streams.
    • Ported across jemalloc improvements from UXP.
    • Ported across cairo mutex improvements from UXP.
    • Added support for FFmpeg 4.0/libavcodec 58.
    • Added a fix for Windows 10’s “isAlpha()” not being what one would expect in v1803.
  • Pale Moon 27.9.0

    wolfbeast 2 years ago 301 commits to master since this release

    This is the last major development update for the v27 milestone (codenamed “Tycho”).
    After this, we will be focusing our efforts for new features entirely on UXP and the new v28 milestone building on it. We will continue to support v27.9 with security and stability updates for a while, but no major new features will be added from this point forward.


    • Fixed a number of spec compliance issues in our media subsystem.
    • Added a trailing slash to referrers when policy is set to fix some web compatibility issues.
    • Fixed the property order in Object.getOwnPropertyNames(string) and others for web compatibility.
    • Updated RegExp(RegExp object, flags) to the ES6 standard specification.
    • Changed the embedded font from the no longer free EmojiOne to the open-licensed Twemoji (with additional fixes). This also further extends unicode support to Unicode 10 emoji(s). Please note that as a result, color emoji(s) will look different than before.
    • Adjusted some things in our memory allocator code to provide, among other things, better allocation alignment on Windows.
    • Made the attempt to migrate people from the old sync server domain name to the current one more aggressive. We will be retiring the old Sync server address shortly to remove the need for us to maintain a security certificate for it; this preference migration should automatically put everyone on the correct server address when upgrading.
    • Made reading of the sessionstore synchronous, to speed up startup and prevent the homepage from being loaded when restoring a session.
    • Added a fix to switch to the correct window/tab when a web notification is clicked.
    • Changed the placeholder text to not include “Search” when all search functions from the address bar are disabled.
    • Enabled the use of Skia for canvas on Linux and OSX.
    • Worked around a potential cause for some non-standard bitmapped fonts ending up with incorrect line heights (I’m looking at you, Noto fonts!).
    • Added a workaround for incorrectly-encoded JPEG-XR images with planar alpha. Ultimately, the jxrlib reference implementation should be fixed to encode according to spec.
    • Aligned XCTO:nosniff allowed script MIME types with the updated spec.
    • Improved the logic for storing vector images in the surface cache.
    • Fixed character set handling for XMLHttpRequests.
  • Pale Moon 27.8.3

    wolfbeast 2 years ago 344 commits to master since this release

    This is a small update to solve a pervasive crash in responsive web layouts.

  • Pale Moon 27.8.2

    wolfbeast 2 years ago 348 commits to master since this release

    This is a security update.


    • Privacy fix: prevented update checks for the default theme.
    • Added a user-agent override for Dropbox to improve compatibility with their service.
    • Fixed an issue with mouseover handling related to (CVE-2018-5103). DiD
    • Disabled the Mac OSX Nano allocator. DiD
    • Fixed (CVE-2018-5129) OOB Write.
    • Updated the lz4 library to 1.8.0 to solve potential issues. DiD
    • Fixed (CVE-2018-5137) Path traversal on chrome:// URLs
    • Fixed several memory safety an synchronicity hazards.

    DiD This means that the fix is “Defense-in-Depth”: It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

  • Pale Moon 27.8.1

    wolfbeast 2 years ago 362 commits to master since this release

    This is a small update to address some breaking issues.


    • Backed out the NSPR/NSS update from 27.8.0 for causing crashes, general operational instability and handshake issues.
    • Disabled TLS 1.3 draft support by default, because with the NSS backout we only support an older draft right now that is no longer current and may cause connectivity issues. You can manually re-enable it at your own risk in about:config by setting security.tls.version.max to 4.
  • Pale Moon 27.8.0

    wolfbeast 2 years ago 367 commits to master since this release

    This is a development update with new and improved features and bugfixes.


    • Added support for emojis on Windows systems that have relatively poor support for them with standard font sets by including our own font (EmojiOne based for now).
    • Added a setting in preferences to select the use of tab previews with Ctrl+Tab.
    • Added Eyedropper menu entry to the AppMenu.
    • Added a preference to control whether the text cursor (caret) should be thicker when dealing with CJK characters or not (default = yes).
    • Added URL fix-ups for schemes (mis-typed “ttp://” etc.).
    • Added support for ES6 “Symbol species”.
    • Updated our TLS 1.3 support to the latest (probably final) draft.
    • Fixed gap inconsistency in the tabstrip.
    • Fixed a number of browser crashes.
    • Fixed a crash with the exponentiation operator “**”
    • Set the performance timer granularity to 1 ms.
    • Updated the kiss-fft library to our forked 1.4.0 version.
    • Disabled a potentially problematic optimization on Win 8+ with high contrast themes in use.
    • Removed the notification bar when in full screen to prevent unwanted visible screen elements.
    • Removed unmaintained and insecure WebRTC code - building with WebRTC enabled is no longer an option.
    • Removed redundant checks for “Vista or later” since that is all we support.
    • Added display of the http status to raw request displays.
    • Added a workaround for cloned videos not retaining their muted state.
    • Added a temporary workaround to avoid crashes on trackless media.
    • Removed some superfluous ellipses from menu labels.
    • Fixed undesired shrinking of line heights as a result of setting minimum font size in preferences.
    • Fixed some issues with setting the new tab preference (regression).
  • Pale Moon 27.7.2

    wolfbeast 2 years ago 0 commits to 27.7_RelBranch since this release

    This is a security and stability update.


    • Changed the X-Content-Type-Options: nosniff behavior to only check “success” class server responses, for web compatibility reasons.
    • Changed the perfomance timer resolution once more to a granularity of 1 ms, after evaluating more potential ways of abusing Spectre.
      This takes the most cautious approach possible lacking more information (because apparently NDAs have been signed over this between mainstream players), follows Safari’s lead, and should make it not just infeasible but downright impossible to use these timers for nefarious purposes in this context.
    • Improved the debug-only startup cache wrapper to prevent a rare crash.
    • Fixed a crash in the XML parser.
    • Added a check for integer overflow in AesTask::DoCrypto() (CVE-2018-5122) DiD
    • Fixed a potential race condition in the browser cache.
    • Fixed a crash in HTML media elements (CVE-2018-5102)
    • Fixed a crash in XHR using workers.
    • Fixed a crash with some uncommon FTP operations.
    • Fixed a potential race condition in the JAR library.

    DiD This means that the fix is “Defense-in-Depth”: It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

  • Pale Moon 27.7.1

    wolfbeast 2 years ago 449 commits to master since this release

    This is a minor emergency update to address website breakage and a theme issue.


    • Added support for Array.prototype[@@unscopables].
      Unfortunately, the addition of Javascript’s ES6 Unscopables in 27.7.0 was incomplete, which caused a number of websites (e.g. Chase on-line banking, some Russian government sites) to display blank or not complete loading after updating to that version of the browser. This update should fix the problem by adding the missing part of the feature.
    • Fixed an issue with the default theme causing tab borders to be drawn too thick at higher settings for visual element scaling (125%/150%) in Windows.