Pale Moon

What is new in this release:

• Fixed a sampling issue in libsoundtouch (DiD)
• Fixed an issue with a new upcoming Windows 10 feature not honoring Private Browsing mode by default (DiD)
• Fixed several stability and memory safety hazards. (DiD)
• Fixed an issue where files could inadvertently be executed with the designated file type handler instead of opened. (CVE-2019-17019)
• Fixed an issue with the JavaScript JIT compiler that could lead to exploitable crashes. (CVE-2019-17026) actively exploited
• Unified XUL Platform Mozilla Security Patch Summary: 2 fixed, 7 DiD, 12 not applicable.

What is new in version 28.1.0:

This major update is focused on performance, security and some regression and bug fixes.

What is new in version 27.9.4:

• Updated the useragent for addons.mozilla.org to work around their "Only with Firefox" discrimination preventing users from downloading themes, old versions of extensions, and other files with Pale Moon.
• Restricted web access to the moz-icon:// scheme that could potentially be abused to infringe the user's privacy.
• Prevented various location-based threats. DiD
• Fixed a potential vulnerability with plugins being redirected to different origins.
• Improved the security check for launching executable files (by association) on Windows from the browser. For users who have (most likely accidentally) granted a system-wide waiver for opening these kinds of files without being prompted, this permission has been reset.
• Fixed an issue with invalid qcms transforms.
• Fixed a buffer overflow using the computed size of canvas elements.
• Fixed a use-after-free when using focus().
• Added some sanity checks on nsMozIconURI. DiD
• Fixed an issue in the case the preferences file in the profile would not be writable (e.g. temporary permission issues due to backup, virus scanning or similar external processes).

What is new in version 27.6.2:

• Implemented the concept of so-called "cookie-averse document objects" which is a security&privacy measure that blocks certain web content from setting cookies. This mitigates cookie-injection, which might help against "hidden" cookie tracking.
• Mitigated some domain name spoofing through IDN by using dotless-i and dotless-j with accents.
  Pale Moon will display these kinds of spoofed domains in punycode now in the actual address bar.
  Please note that the identity panel will always be able to help you on secure sites when IDNs are in use to notice potential spoofing, as opposed to relying on detection algorithms in the URL itself. As such, some other issues like CVE-2017-7833 are already mitigated by us.
• Fixed an issue with mixed-content blocking.
• Added an extra check for the correct signature data type on certificates.
• Added missing sanitization in exporting bookmarks to HTML.
• Fixed several crashes and memory safety hazards.
• Fixed the Linux load throbber image to be properly encoded, to prevent flickering.
• Removed the shortcut key combination for restarting the browser to avoid issues with people using certain keyboard layouts hitting the combination and unintentionally triggering a browser restart.

What is new in version 27.5.0:

This is a major update furthering general development of the browser.

What is new in version 27.4.2:

• Fixed a number of crashes.
• Enabled the opt-in debugging feature to log SSL keys to a file in all builds.
• Added a fix for TLS 1.3 handshakes causing a browser hangup.
  Handshakes should be considerably faster now and no longer stall in the wrong circumstances.
• Updated NSPR to 4.15.
• Updated NSS to 3.31.1.
• Fixed a DoS issue using overly long Username in URL scheme
• Fixed an issue where (cross domain) iframes could break scope
• Fixed an issue in WindowsDllDetourPatcher
• Fixed an issue with elliptic curve addition in mixed Jacobian-affine coordinates
• Fixed a UAF in nsImageLoadingContent
• Fixed a UAF in WebSockets
• Fixed a heap-UAF in RelocateARIAOwnedIfNeeded DiD (accessibility is disabled)

What is new in version 27.3.0:

A major development update. Many things have changed in the media back-end, but please understand that some things are still a work in progress, and you may still encounter some html5 video playback issues with MSE.

What is new in version 27.2.1:

This is a small update to fix some stability and usability issues.

What is new in version 27.1.2:

• Implemented a fix in media handling to prevent crashes with concurrent videos and/or rapidly starting/stopping video playback in the browser.
• Fixed the way the Adobe Flash plugin is detected to prevent confusion with other plugins that identify themselves as "Flash" (e.g. VLC).
• Windows: Solved stability issues caused by the release build process, resulting in unexpected behavior (e.g. hangups).

What is new in version 27.0.3:

• Fixed certain network errors not displaying.
• Fixed network error page styling.
• Fixed the writing of DOM storage data to tabs (should solve the "tabs not loading their contents" issue when migrating a profile and some other situations).
• Disabled downloadable font unicode-ranges on non-Windows platforms.
• Added a Google Fonts user-agent override for non-Windows platforms so they don't send unicode-ranged composite fonts (Feature detection? Google apparently still doesn't know what that is).
• Re-enabled the reporting of CSS errors to the console by default to prevent issues with some extensions who rely on this (e.g. Stylish).
• Fixed and updated preferences for location bar suggestions.
• Fixed several x64-specific issues in memory allocation code (regression fix).
• Fixed timer issues when resuming a computer from stand-by (regression fix).
• Fixed a number of branding and textual issues in the browser.
• Fixed prompting for the saving of off-line data (previously always allowed without prompting).
• Fixed a layout regression that would cause block elements following left floats to not wrap to the next line if there wasn't enough clearance.
• Fixed a mismatch in Firefox extension compatibility-mode installation where Firefox extensions served by addons.mozilla.org would be marked incompatible when trying to install.

What is new in version 27.0:

• Support for DirectX 11 and Direct2d 1.1 on Windows. This will bring Pale Moon more in line with the capabilities for current-day operating systems and graphics hardware.
• Update of the Goanna engine to 3.0 - with many changes to layout and rendering for the modern web.
• Pale Moon now fully supports HTTP/2.
• Ruby Annotations are now an integral part of the HTML parser, controllable with CSS.
• Media Source Extensions have been implemented to solve many video playback issues.
  This can be enabled/disabled and configured in Options. It's recommended at this time to not enable MSE for WebM since there are a few issues with it on services like YouTube (e.g. losing audio when looping/skipping).
• Support for reading and playing so-called "fragmented" MP4 files has been added, further solving media playback issues.
• Support for SSL/TLS connections to proxy servers.
• Support for the WOFF2 font format for downloadable fonts.
• The JavaScript engine has been updated with support for many landmark ECMAScript6 features (chief among them promises and generators). This will solve many of the web compatibility issues that people have started to run into in the past few months (e.g. webmail interfaces, some sites coming up blank because they are script-generated).
• The way web content is cached has been changed to be more efficient. If you want to immediately take advantage of this, clear your cache.

What is new in version 26.5.0:

• Implemented a breaking CSP (content security policy) spec change; when a page with CSP is loaded over http, Pale Moon now interprets CSP directives to also include https versions of the hosts listed in CSP if a scheme (http/https) isn't explicitly listed. This breaks with CSP 1.0 which is more restrictive and doesn't allow this cross-protocol access, but is in line with CSP 2 where this is allowed.
• Fixed an issue with the XML parser where it would sometimes end up in an unknown state and throw an error (e.g. when specific networking errors would occur).
• Improved the performance of canvas poisoning by explicitly parallelizing it.
• Fixed a potentially exploitable crash related to text writing direction. (CVE-2016-5280)
• Made checking for invalid PNG files more strict. Pale Moon will now reject more PNG files that have corrupted/invalid data that could otherwise lead to potential security issues.
• Changed the way paletted image frames are allocated so the space is cleared before it's used.
• Fixed a crash in nsNodeUtils::CloneAndAdopt() due to a typo.
• Fixed several memory safety issues and crashes.

What is new in version 26.4.0:

• Removed Google Search as a bundled search provider.
• Fixed the URL API to allow "stringification" of the object per specification. This should make a number of websites happy.
• Added the ES6 string .includes() function in addition to the pre-existing .contains() function for checking if a string contains another string. The .contains() function is retained for compatibility with web and extension scripts that adhere to the ES6 pre-release specification up to and including RC3.
• Fixed the calculation of standalone SVG embeds width and height, which should solve some reported issues with html5 graphs being displayed incorrectly.
• Linux: improved memory allocation.
• Updated the graphite font library to 1.3.9.
• Added a blocking rule for F-Secure's 64-bit deepguard library to prevent crashes.
• Updated the SQLite library to 3.13.0.
• Download= properties of links are now honored from the context menu "Save" option.
• Fixed a crash in the XSS filter.
• Fixed a crash in the DOM error module.
• Worked around a crash on Linux
• Linux: Improved optimization and GCC6 compatibility (Note: compiling with GCC 6 is still not recommended and it may or may not work, depending on your environment)

What is new in version 26.3.3:

• Fixed an additional issue found that could cause menu text on Windows 10 to be white-on-white (and therefore unreadable).
• Fixed an issue with news feeds not showing up when embedded in web pages.
• Removed recently-added parsing of the child-src content security policy directive, after some web compatibility issues with it came to light, as well as it becoming clear that the CSP spec will see it removed in favor of the previous directive for embedded content. This should fix some intermittent issues people have reported on e.g. the main google.com page and phpMyAdmin installations.

What is new in version 26.2.1:

This is a small update to fix a problem with keyboard navigation of the user interface.

What is new in version 26.2.0:

• Implemented the URL API that's needed for a number of websites.
• Changed internal keystroke handling within the spec to better align with generally expected behavior.
• Re-styled about:sessionrestore to use more available screen real estate for tab info.
• Added an option to use the mousewheel for horizontal scrolling (mouse action value 4).
• Bumped max icon size for search engine icons to 32 KB to cater to more common use of HiDPI icons.
• Fixed some hard-coded branding strings in Sync still reading "Firefox", and similarly changed sync information URLs to point to our relevant pages.
• Removed default profile bookmarks pointing to Firefox/Mozilla since the information there no longer applies to us.
• Updated UA overrides and XSS configuration to deal with some problematic sites (e.g.: Google, Embedly)
• Fixed several issues with the default theme causing problems with behavior due to styling.
• Fixed some miscellaneous issues in the internal jemalloc implementation.
• Added a configure option to use the full jemalloc lib (jemalloc v3) if the builder so wishes.
• Worked around a crash caused by the XSS filter on some fora by bailing on too short and empty strings.
• Fixed layout of reflowed comboboxes without enough space.
• Fixed a crash related to flexboxes overflowing themselves.
• Added a simple implementation for Weak Messagelisteners.
• Fixed a crash for losing our cache entry while finishing up compression.

What is new in version 26.1.1:

• Fixed a few oversights in the Firefox extension compatibility changes in 26.1.0 that should improve compatibility with a number of Firefox extensions.
• Changed memory handling to (hopefully) address the memory inflation issues some people have experienced with 26.1.0.
• Updated YouTube compatibility, which should once again allow users to choose between Flash and HTML5 players on YouTube.

What is new in version 26.0.2:

• Removed the sanity check for unsupported point-of-sale XP-based operating systems by user request.
• Changed the way "transparent" is handled in Goanna to improve transparent gradients using this keyword.
• Made sure that dom.disable_beforeunload is predefined in about:config.
• Fixed web compatibility issues with Youtube, Youtube Gaming, Yuku fora and Netflix.
• Fixed web compatibility with Comcast/XFinity webmail and other sites or web applications that expect older JavaScript versions as default.
• Reinstated the about:config warning by default.
• Fixed 2 potential browser crashes.
• Updated NSS to 3.19.4.1-PM to fix a potential UAF and CVE-2015-7575.
• Crash fix: Prevented queueing multiple media sources that could lead to unsafe memory access.
• Prevented unsafe memory manipulations in zip archives.
• Prevented a potential buffer overflow in WebGL. (x64 only)
• Updated the way binaries are code-signed. Not only does v26.0 use a new SHA256-signed digital certificate, but starting this version will also be signed with both SHA1 and SHA256 digest algorithms to satisfy later Windows' code-signing requirements.