Pale Moon - Your browser, Your way

Pale Moon: Release notes

26.5.0 (2016-09-28)

  • Implemented a breaking CSP (content security policy) spec change; when a page with CSP is loaded over http, Pale Moon now interprets CSP directives to also include https versions of the hosts listed in CSP if a scheme (http/https) isn't explicitly listed. This breaks with CSP 1.0 which is more restrictive and doesn't allow this cross-protocol access, but is in line with CSP 2 where this is allowed.
  • Fixed an issue with the XML parser where it would sometimes end up in an unknown state and throw an error (e.g. when specific networking errors would occur).
  • Improved the performance of canvas poisoning by explicitly parallelizing it.
Security fixes:
  • Fixed a potentially exploitable crash related to text writing direction. (CVE-2016-5280)
  • Made checking for invalid PNG files more strict. Pale Moon will now reject more PNG files that have corrupted/invalid data that could otherwise lead to potential security issues.
  • Changed the way paletted image frames are allocated so the space is cleared before it's used. DiD
  • Fixed a crash in nsNodeUtils::CloneAndAdopt() due to a typo. DiD
  • Fixed several memory safety issues and crashes.
DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.

26.4.1 (2016-09-12)

This is a minor bugfix and security release.

  • Fixed a crash in the XSS filter.
  • Slightly changed the address bar shading on secure sites to be more subtle and easily-blended.
  • Fixed the occurrence of "null" titles in bookmarks dragged from special folders.
  • Fixed an error initializing the browser due to trying to restore scratchpad data from a stored session when having switched from a version with devtools to a version without devtools, and the previous version had scratchpad data saved.
  • Fixed some minor issues in scratchpad and gcli devtools.
Security fixes:
  • Updated the HSTS preload list to a much more updated source list, and performing our own checks on validity from now on to have the list be as accurate as possible.
  • Disabled Triple-DES cipher suites by default (mitigating SWEET32).
Portable-only: Changed the behavior to, by default, allow it to start a new copy or multiple copies without checking if Pale Moon is already running on the system. You will need separate profiles to run multiple browsers concurrently. (2016-08-23) - Linux only

This Linux-only release is once again using GStreamer 0.10 for video support, which should prevent Pale Moon from crashing when playing some HTML5 videos.

Additional changes/fixes:
  • A blacklist for GStreamer has been implemented and enabled by default (can be disabled with the media.gstreamer.enable-blacklist about:config pref).
  • The flump3dec GStreamer plugin (known to be crashy) & h264parser element (a potential security risk) have been blacklisted.
  • Fixed a couple other GStreamer related crashes.
  • No longer force Link Time Optimization with GCC 6

26.4.0 (2016-08-17)

  • Removed Google Search as a bundled search provider. If desired, you can manually install it (or other search engines) after the update by following the steps in the Manage Search Engines topic.
  • Fixed the URL API to allow "stringification" of the object per specification. This should make a number of websites happy.
  • Added the ES6 string .includes() function in addition to the pre-existing .contains() function for checking if a string contains another string. The .contains() function is retained for compatibility with web and extension scripts that adhere to the ES6 pre-release specification up to and including RC3.
  • Fixed the calculation of standalone SVG embeds width and height, which should solve some reported issues with html5 graphs being displayed incorrectly.
  • Linux: improved memory allocation.
  • Updated the graphite font library to 1.3.9.
  • Added a blocking rule for F-Secure's 64-bit deepguard library to prevent crashes.
  • Updated the SQLite library to 3.13.0.
  • Download= properties of links are now honored from the context menu "Save" option.
  • Fixed a crash in the XSS filter.
  • Fixed a crash in the DOM error module.
  • Worked around a crash on Linux
  • Linux: Improved optimization and GCC6 compatibility (Note: compiling with GCC 6 is still not recommended and it may or may not work, depending on your environment)
Security fixes:
  • (CVE-2016-5251)Potential URL spoofing in the address bar.
  • (CVE-2016-0718) Context-dependent crash in expat 2.1.0.
  • (CVE-2016-5266) Outgoing dataTransfer items are not properly filtered.
  • Fixed potentially exploitable crash in the array splice implementation.
  • Fixed potentially exploitable crash caused by badly formatted ICO files.
  • (CVE-2016-5254) Heap-use-after-free in nsXULPopupManager::KeyDown

26.3.3 (2016-07-01)

Another small bugfix update to address some breaking issues. Sorry for the rapid-fire releases, everyone; this is not our intention.

  • Fixed an additional issue found that could cause menu text on Windows 10 to be white-on-white (and therefore unreadable).
  • Fixed an issue with news feeds not showing up when embedded in web pages.
  • Removed recently-added parsing of the child-src content security policy directive, after some web compatibility issues with it came to light, as well as it becoming clear that the CSP spec will see it removed in favor of the previous directive for embedded content. This should fix some intermittent issues people have reported on e.g. the main page and phpMyAdmin installations.

26.3.2 (2016-06-27) - Windows only

This release only has pertinent changes for Windows. Other operating systems do not need this update.


  • Fixed a rare issue where the browser would not initialize properly (missing bookmarks and menu entries) if certain Windows registry values were missing (Windows 8 only).
  • Fixed an issue on Windows 10 where the classic menu bar would become unreadable (white on white).
    Update: There's apparently a different issue still remaining that can cause the same trouble. Please see the Known Issues page for status and workaround.
  • Portable only: Switched to non-compressed binaries to prevent issues with antivirus packages, to prevent issues with browser run-time operation, and to simplify code signing.

26.3.1 (2016-06-25)

  • Fixed an issue with new tab button theming on dark toolbars.
  • Reverted the useragent identification of Firefox compatibility mode to 38.9 to avoid WOFF2 font issues for sites that don't use proper font deployment as recommended by the W3C.
  • Added a site-specific override for Google fonts to make sure it always works even if not using Firefox compatibility mode.
    (workaround pending for a proper solution on Google's side)
  • Adjusted the "dark color" detection routine to switch text to white at higher relative contrast levels.
    This will more closely match Windows 10's "flip point" for different accent colors and is within the recommended range determined by the WCAG.

26.3.0 (2016-06-21)

  • Added detection for dark system themes on Windows 10 and re-worked Windows 10 specific theming to better integrate into the OS and provide more clarity.
  • HTML5 media controls have been reworked to a horizontal volume control on all media, including HTML5 audio that was previously without an element-control for volume.
  • Default HTML5 media volume preference added as media.default_volume -- fractional, default 1.0 (=100%).
  • String.prototype.match() and .replace() are now fully spec compliant.
  • NSPR and NSS now correctly no longer enforce IA32 architecture compatibility, getting the advantage of SSE2 like the rest of the code.
  • Worked around crashes in the XSS filter when navigating back in history due to document fragments.
  • Instated a hard minimum of 10,000 places entries regardless of free disk space and total memory to prevent undesired expiration of history. That is around 16MB for an average entry size, which should be sane enough even on low-memory machines.
  • Fixed a typo in networking code introduced in 26.2.2 that would cause issues on some sites due to adding extra forward slashes to the URL.
Security fixes:
  • Fixed a number of memory safety hazards and potentially exploitable crashes.
  • Fixed CVE-2016-2821 Use-after-free in the mozilla::dom::Element class
  • Fixed netaddr deserialization for AF_UNSPEC and AF_LOCAL.
  • Fixed a memory overrun error in the VP8 encoder. DiD
  • Fixed non-threadsafe re-use of pixman images to prevent potential race conditions. DiD
  • Fixed CVE-2016-2825 Partial Same Origin Policy violation

26.2.2 (2016-05-10) & Android 25.9.2

This is mainly a security update.

  • Added a detection routine for dark window colors on Windows 8 and later (system themes using dark window frames) to better adapt to dark system colors. Theme developers can take advantage of this by checking for darkwindowframe="true" on #main-window in CSS selectors.
  • CSS classes prefixed with "--" no longer stop parsing of the selectors.
  • Several crash fixes.
Security fixes:
  • Made GC suppression more aggressive to prevent issues when actually out of memory.
  • Fixed a memory safety hazard in jpeg decoding.
  • Fixed a potentially exploitable crash when using bi-directional text.
  • Updated NSS to, fixing CVE-2016-1938 among other things.

26.2.1 (2016-04-08)

This is a small update to fix a problem with keyboard navigation of the user interface.

26.2.0 (2016-04-05)

This is a major update and bugfix release.

  • Implemented the URL API that's needed for a number of websites.
  • Changed internal keystroke handling within the spec to better align with generally expected behavior.
    This should fix the infamous "backspace" issue on Facebook.
    Web developers please note: calling preventDefault() in a "keydown" event handler will now prevent most keypress events from firing.
  • Linux: gstreamer 1.0 support has been implemented and enabled by default (hats off to Travis!)
    From this version forward you will need to have gstreamer 1.0 libraries for video playback (0.10 is no longer supported).
  • Re-styled about:sessionrestore to use more available screen real estate for tab info.
  • Added an option to use the mousewheel for horizontal scrolling (mouse action value 4).
    (e.g. setting mousewheel.with_shift.action to 4 makes Shift+wheel scroll horizontally)
  • Bumped max icon size for search engine icons to 32 KB to cater to more common use of HiDPI icons.
  • Fixed some hard-coded branding strings in Sync still reading "Firefox", and similarly changed sync information URLs to point to our relevant pages.
  • Removed default profile bookmarks pointing to Firefox/Mozilla since the information there no longer applies to us.
  • Updated UA overrides and XSS configuration to deal with some problematic sites (e.g.: Google, Embedly)
  • Fixed several issues with the default theme causing problems with behavior due to styling (thanks, Antonius32) (Issue #384 and friends)
  • Fixed some miscellaneous issues in the internal jemalloc implementation.
  • Added a configure option to use the full jemalloc lib (jemalloc v3) if the builder so wishes (used for Linux, sys mallocs are not happy there either, so for our generic binaries we switched to this lib now)
  • Worked around a crash caused by the XSS filter on some fora by bailing on too short and empty strings.
  • Fixed layout of reflowed comboboxes without enough space.
  • Fixed a crash related to flexboxes overflowing themselves. (Issue #396)
  • Added a simple implementation for Weak Messagelisteners. (Issue #399)
  • Fixed a crash for losing our cache entry while finishing up compression.
    (re-apply after unintentional back-out switching to Goanna)
  • Linux: Worked around driver bugs with Intel drivers that falsely report what they can support in max texture size.
  • Portable only: Removed compression of the browser components library after some reports that in certain configurations and environments it was causing issues with the browser.
Security fixes:
  • Updated the graphite font library to 1.3.7+ to solve CVE-2016-2796 and no less than 14 of its friends.
  • Updated NSS to to address several vulnerabilities (UAF, heap overflow).
  • Updated libvorbis to a much more recent version to fix multiple issues.
  • Crash fix and DiD fixes by holding strong references to objects in suspect places in the HTML parser. (CVE-2016-1961) (ZDI-CAN-3574)
  • Fixed several out-of-bounds issues in the VP8 decoder.
  • Fixed a potentially exploitable crash in XML/XSLT handling.
  • Applied some Kung Fu to HTML animations and transitions to prevent memory hazards.
  • Fixed applicable Mozilla code vulnerabilities CVE-2016-1965, CVE-2016-1960 (ZDI-CAN-3545), CVE-2016-1966, and CVE-2016-1963.

26.1.1 (2016-02-24)

This is a bugfix release to improve stability and extension compatibility.

  • Fixed a few oversights in the Firefox extension compatibility changes in 26.1.0 that should improve compatibility with a number of Firefox extensions.
  • Changed memory handling to (hopefully) address the memory inflation issues some people have experienced with 26.1.0.
  • Updated YouTube compatibility, which should once again allow users to choose between Flash and HTML5 players on YouTube.

26.1.0 (2016-02-16)

This is a web compatibility, stability and bugfix release.

  • Disabled our ES6 Promise implementation introduced in 26.0 since there were some severe issues with its implementation that caused a lot of inexplicable failures on websites. This means that some sites that insist on using Promises without checking availability and that do not provide sufficient web client compatibility by way of server-side libraries or polyfills will currently not work as-intended. Apologies for any inconvenience this may cause; providing a perfectly-working implementation will be our top priority going forward.
  • Improved website compatibility with many sites and web applications by making our cookie gate less strict.
  • Fixed web compatibility with Google Hangouts and Yahoo Calendar.
  • Changed the memory allocator on Windows platforms to a much more modern full-library implementation of jemalloc, with miscellaneous additional fixes. This should give comparable speed to the system one and will allocate free memory more dynamically. This should fix issues like "huge animated gif choking" and inexplicable pauses when using many tabs, scrolling (extremely) long pages, or viewing media.
  • Fixed a few rare crashing issues on Windows due to the build process.
  • Reduced so-called "jank" on inner frame scrolling reflows.
  • Extension compatibility: partial implementation of Firefox 26 download js modules as shims; this should make more Firefox extensions compatible with us out-of-the-box. (Thanks, Chaoskagami!)
  • Added a "superstop" key combination (Shift+Esc) that will stop all (foreground and background) network activity, stop animated gifs, etc. even after the page itself has fully loaded (and the stop button not being available) - some web applications may not like this if you use it since it will also cancel XHR requests, etc.
  • Updated NTLM authentication, deprecating v1 and adding a proper v2 implementation (Thanks, Trava90!)
  • Updated the default theme to tweak/improve it some more (Thanks, Antonius32!)
Security fixes:
  • Updated the Graphite2 font library to 1.3.5+ to fix a number of vulnerabilities (and some font bugs).

26.0.3 (2016-02-05)

This is a small bugfix release:
  • Changed our cookie gate to allow cookie names with spaces in them, to improve web compatibility.
    Critical note: if your site uses cookie names with spaces in them, please consider moving away from doing that so you are no longer in the "grey" area of cookie behavior.
  • Changed the configuration of our XSS filter to address some known, harmless filter hits that have been reported.

26.0.2 (2016-02-03)

This is a bugfix, security and web compatibility release.

  • Removed the sanity check for unsupported point-of-sale XP-based operating systems by user request.
    Please see the forum for information on which operating systems we can reasonably support.
  • Changed the way "transparent" is handled in Goanna to improve transparent gradients using this keyword.
  • Made sure that dom.disable_beforeunload is predefined in about:config.
  • Fixed web compatibility issues with Youtube, Youtube Gaming, Yuku fora and Netflix.
  • Fixed web compatibility with Comcast/XFinity webmail and other sites or web applications that expect older JavaScript versions as default.
  • Reinstated the about:config warning by default.
  • Fixed 2 potential browser crashes.
Security fixes:
  • Updated NSS to to fix a potential UAF and CVE-2015-7575.
  • Crash fix: Prevented queueing multiple media sources that could lead to unsafe memory access.
  • Prevented unsafe memory manipulations in zip archives. (CVE-2016-1945) DiD
  • Prevented a potential buffer overflow in WebGL. (x64 only) (CVE-2016-1935) DiD
  • Updated the way binaries are code-signed. Not only does v26.0 use a new SHA256-signed digital certificate, but starting this version will also be signed with both SHA1 and SHA256 digest algorithms to satisfy later Windows' code-signing requirements.
DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.

26.0.1 (unreleased)

Internal development/test version.

26.0.0 (2016-01-26)

This is a new milestone release! It's been in the works for a good number of months, and has many hundreds of notable changes, fixes, and improvements that can't possibly all be listed here.

These release notes for this version are a concise summary, lifting out the most prominent and important changes. You may find slightly more detailed release notes on the forum.

General release notes:
  • Goanna logoPale Moon is now building on the new Goanna engine instead of Gecko. Although close relatives in terms of web technology, they are not the same under the hood and any reports of bugs with the layout/rendering engine should be as detailed as possible to allow us to pinpoint the cause of the bugs and fix them (just stating "it works in Firefox" really doesn't help us!). If you wish to report issues, please either use the issue tracker on GitHub or report a detailed description and steps to reproduce on the forum.
  • We've had to reduce the number of supported languages for our language packs. With the need to move to our own full localization and lacking translators to support and maintain less common languages in use around the world, we've reduced our number of offered languages to a little over 30. The languages still supported should more than cover the common languages spoken around the globe. You will need to update your language packs!
  • Although we've given this release extensive testing, it is still possible you run into some website compatibility issues (usually because of websites doing useragent sniffing) and e.g. some sites displaying a mobile version if they do not recognize or incorrectly recognize the new browser engine. Please always try contacting the webmasters first before posting support requests at our address, since this is usually not something we can provide solutions for, ourselves, and we end up having to redirect you anyway.
  • The layout parser/renderer has received many updates with this change over to Goanna, improving web compatibility and standards compliance in many areas.
  • The browser user interface has received updates, making it more compatible with Windows 10 in many respects and more in line with the general styles of the operating system version it is run on in terms of the shapes of controls and color setting.
  • Updated graphics/media support: Pale Moon now supports the WebP image format, properly scales EXIF rotated JPEGs, has updated support for different WebGL texture formats, improved scaling of vector images, updated libpng, libjpeg-turbo, libvpx, and misc other upstream libraries/modules, and more!
  • Library changes:
    • The library now has a scope bar (pops up when searching) with the option to select what you want to search in (either bookmarks or history) and the option to save your searches.
    • By default, there will be a history menu drop-down in the browser's user interface next to the bookmarks one.
    • Added "Containing folder" and "Containing folder path" columns so you can see exactly where a bookmark is located at a glance when searching (after enabling the columns).
  • Added support for Ruby annotations. If you need this functionality, set the about:config preference browser.ruby.enabled to true, and restart the browser.
  • Added conservative image decoding: it will now only decode images that are (almost) in view, greatly improving overall memory use and initial loading of graphics-heavy pages.
  • Aligned 3D CSS transforms and perspective with the spec.
  • JavaScript improvements: added basic support for ES6 Promises, added element.matches(), updated property assignments, added Bin/Oct literals in Number(), improved performance of TypeOf calls, improved GC memory shrinking, improved memory allocations, improved RegEx performance and compatibility, and more!
  • Added CSS media queries to determine the OS the browser is running on, allowing theme designers to make specific changes based on OS at run-time.
  • Added a control preference for onunload= events as dom.disable_beforeunload. This allows you to completely disable events fired when leaving a page.
  • Changed the memory allocator to the (faster) system allocator on modern operating systems.
  • Improved the handling of very large numbers of tabs.
  • Added Ecosia as a "green" search engine alternative for the environmentally aware surfer.
  • Autoplay of media now has a separate control preference for scripted content as media.autoplay.allowscripted, to block script-initiated autoplay of media.
Security updates:
  • Added support for 128-bit Camellia-GCM ciphers in addition to the existing CBC ciphers to offer a more internationally diverse choice of secure encryption ciphers than just AES.
  • Added an advanced, active XSS (cross-site scripting) filter. Pale Moon will now check for XSS attacks and block XSS content in the resulting pages. This is brand-new technology and feedback on this filter specifically (e.g. bugs, false positives, etc.) should be posted in the dedicated thread on the forum for this feature. Please also see that thread for details on how to use and control this filter.
  • Distrusted several root certificates in accordance with security best practice.
  • Aligned cookie acceptance with RFC 6265 ยง4.1.1. We still make an exception for allowing spaces and double quotes in cookie values, but this will be made more strict in the future for full spec compliance. If you are a web designer and use cookies, please verify that you are RFC compliant in terms of both cookie names and cookie values, or the browser may reject them.
  • Removed several hazardous modules like the maintenance service and the identity module.
  • Ported all security updates from Mozilla that are applicable/relevant to our code base (up to and including all security issues made known to us until now). Considering v26 has been kept updated over its long development until release, the list of fixes/CVEs would be too exhaustive to list in these release notes individually.

25.8.1 (2015-11-28)

A small update to address two important issues:
  • Fix for a crash that could occur at random since the update to 25.8.0.
  • Fix for CSP (Content Security Policy) to be more lenient towards the incorrect passing of full URLs with all sorts of parameters in the CSP header, leading to misinterpretation of the header and incorrectly blocking the loading of content.

25.8.0 (2015-11-17)

This is a security, stability and usability update.

  • Updated LibVPX to 1.4.x to be able to play more kinds of VP9-encoded videos.
  • Updated the JPEG decoder library to 1.4.0.
  • Fixed and cleaned up XPCOM timer thread code to avoid intermittent issues with events not firing (especially after stand-by).
  • Updated overrides to work around issues with Facebook and Netflix.
  • Fixed an issue where too-old system-supplied NSPR and/or NSS libraries would be accepted for use.
Security fixes:
  • Updated the libpng library to 1.5.24 to address critical security issues CVE-2015-7981 and CVE-2015-8126
  • Updated the NSPR library to 4.10.10 to address several security issues.
  • Updated the NSS library to 3.19.4 to address several security issues.
  • Fixed a memory safety hazard in SVG path code (CVE-2015-7199).
  • Fixed an issue with IP address parsing potentially allowing an attacker to bypass the Same Origin Policy (CVE-2015-7188).
  • Fixed an Add-on SDK (Jetpack) issue that would allow scripts to be executed despite being forbidden (CVE-2015-7187).
  • Fixed a crash due to a buffer underflow in libjar (CVE-2015-7194).
  • Fixed an issue for Android full screen that would potentially allow address spoofing (CVE-2015-7185).
  • Added size checks in canvas manipulations to avoid potential image encoding vulnerabilities like CVE-2015-7189. DiD
  • Fixed potential information disclosure vulnerabilities through the NTLM authentication mechanism. Insecure NTLM v1 is now disabled by default, and the workstation name is set to WORKSTATION by default (configurable with a preference for environments where identification of workstations is done by actual reported machine name). This avoids issues like CVE-2015-4515.
  • Fixed a potentially vulnerable crash from a spinning event loop during resize painting. DiD
  • Fixed several Javascript-based memory safety hazards. DiD (Android only!) (2015-10-15)

A small update to the Android version only to fix an issue with the Sync setup still not working properly on Android clients.

25.7.3 (2015-10-14)

This is a usability update needed due to the fact that Mozilla has shut down their key exchange (J-PAKE) server along with the old Sync servers. This was unexpected and required us to set up our own key server (testing indicates this works as-expected, but please do report any issues on the forum) - which also required reconfiguration of the browser.
Please note that older versions of the browser will no longer be able to link devices to a sync account using the 12-character code since it requires a Mozilla server no longer present. If you need this functionality, you must update to this version or later.

25.7.2 (2015-10-02)

This is a stability update, addressing 2 critical hangs:
  • Fixed a critical hang caused by recursive reloads that might happen in iframes if its hash changed.
  • Fixed a critical hang caused by lazy-loading of stylesheets through a specific web programming technique as advocated by Google's PageSpeed.

25.7.1 (2015-09-28)

This is a security, stability and web-compatibility update. This also marks a security update for the Android version of Pale Moon to keep users of the otherwise currently unmaintained OS updated regarding known security vulnerabilities.

  • Code cleanup: Removed the majority of remaining telemetry code (including the data reporting back-end and health report) to prevent a few issues with partially removed code in earlier versions.
  • Fixed a crash due to handling of bogus URIs passed to CSS style filters (e.g. whatsapp's web interface).
  • Permitted spec-breaking syntax in Regex character classes, allowing ranges that would be permitted per the grammar rules in the spec but not necessarily following the syntax rules. This impacts a good number of (also higher profile) sites that use invalid ranges in regular expressions (e.g. Cisco's networking academy site, Yahoo Fantasy Football).
  • Fixed a crash due to the newly introduced WASAPI handling of audio channel mapping that doesn't like actual surround hardware setups (e.g. playing a video with quadraphonic audio on a 4-speaker setup).
  • Fixed an issue where site-specific dictionary selections would be written to content preferences without the user's action, potentially overwriting or clearing a previously-chosen dictionary.
  • Added support for drag and drop of local files from sources which use text/uri-lists. (Some Linux flavors/file managers)
  • Updated libnestegg to the most current version.
  • Fixed an issue where setting the location to an empty string could cause a reload loop.
Security fixes:
  • Changed the jemalloc poison address to something that is not a NOP-slide. DiD
  • Fixed a memory safety hazard in ConvertDialogOptions (CVE-2015-4521)
  • Fixed a buffer overflow/crash hazard in the VertexBufferInterface::reserveVertexSpace function in libGLES in ANGLE (CVE-2015-7179)
  • Fixed an overflow/crash hazard in the XULContentSinkImpl::AddText function (CVE-2015-7175)
  • Fixed a stack buffer overread hazard in the ICC v4 profile parser (CVE-2015-4504)
  • Fixed an HTMLVideoElement Use-After-Free Remote Code Execution 0-day vulnerability (ZDI-CAN-3176) (CVE-2015-4509)
  • Fixed a potentially exploitable crash in nsXBLService::GetBinding
  • Fixed a memory safety hazard in nsAttrAndChildArray::GrowBy (CVE-2015-7174)
  • Fixed a memory safety hazard for callers of nsUnicodeToUTF8::GetMaxLength (CVE-2015-4522)
  • Fixed a heap buffer overflow/crash hazard caused by invalid WebM headers (CVE-2015-4511)

25.7.0 (2015-08-26)

This is a bugfix and maintenance release.

  • Code cleanup: Removed the (otherwise unused) visual event tracer code.
  • Code cleanup: Removed reflow performance tracing code (telemetry).
  • Fixed a key JavaScript bug where defining properties on an object would wipe the object.
    This seems to be a common issue with "modern" libraries that use "define" instead of "change" and expecting the other properties on the object to be retained, resulting in "x is undefined" errors all over the place if the object is wiped.
    This aligns the behavior with ES6's "Validate and apply property descriptor" pseudo-function.
  • Updated the SQLite library to
  • Added support for the element.matches() Web API function.
  • Added support for BASE tag parsing in source view. Previously, when viewing the source of a document, clickable links would be incorrect if a base path was specified in the document with this tag.
  • Fixed an issue with running timers after the computer would have been put to sleep with the browser opened.
Security fixes:
  • Added protection against potential bugs where our SVG mPositions is out of sync with the characters in the DOM. DiD
  • Fixed use-after-free vulnerability in XMLHttpRequest::Open() (CVE-2015-4492)
  • Fixed use-after-free vulnerability in the StyleAnimationValue class (CVE-2015-4488)
  • Fixed crash or memory corruption in nsTArray (CVE-2015-4489)
  • Fixed crash or memory corruption in nsTSubstring::ReplacePrep (CVE-2015-4487)
  • Fixed potential escalation of privileges or crash (out-of-bounds write) via a crafted name in MARs (x64 only) (CVE-2015-4482)
  • Fixed an issue that would allow man-in-the-middle attackers to bypass a mixed-content protection mechanism via a feed: URL in a POST request. (CVE-2015-4483)

25.6.0 (2015-07-27)

This release addresses some security issues and a range of usability improvements to the browser.

  • Canvas anti-fingerprinting option: Pale Moon now includes the option to make canvas fingerprinting much more difficult. By setting the about:config preference canvas.poisondata to true, any data read back from canvas surfaces will be "poisoned" with humanly-imperceptible data changes. By default this is off, because it has a large performance impact on the routines reading this data.
  • Added a feature to allow icon fonts to be used even when users disallow the use of document-specified fonts. This should retain full navigation for icon-font heavy websites (no more dreaded "boxes" with hex codes) when custom text fonts are disabled.
  • Added a feature to prevent screen savers from kicking in when playing full-screen HTML5 video. This is currently not yet operational on Linux because of stability issues we've run into on that OS, but Windows should properly benefit from this change.
  • The "autocomplete=off" parameter for signon forms is now completely ignored by default, to keep the user in control of their browser's behavior and allowing credentials to be saved if wished. If you prefer the previous behavior, allowing a website to determine whether autocomplete should be allowed or not, then change the about:config preference signon.ignoreAutocomplete to false.
  • Reinstated the packaging of pre-compiled scripts in the browser. Hopefully this will fix the reports by some users who found that initial start-up after installation/upgrade of the browser was unacceptably slow. Unfortunately this means a slightly larger download/install size as a trade-off.
  • Added the option to use Chrome://../skin/ overrides, in effect allowing the use of "Icon themes"; toolbar icon replacements to customize your browser icons without the need for any CSS or full-blown theming.
  • Added a count for the number of matches in the find bar. it will now list the total number of matches found, and which match is the currently highlighted one.
  • Fixed the issue where highlighted words after finding and highlighting them all in a page would remain highlighted when closing the find bar.
  • Added support for CSP 'nonce' keywords (CSP 1.1/2.0). Please note that this is still experimental and may not work 100% as-expected. Please report any bugs you may find.
  • Aligned CSP more with the spec in terms of reporting and case-sensitivity of matches, and made it more app-friendly.
  • Added -moz-os-version selectors for @media CSS queries to simplify theming on different operating systems (esp. Windows).
  • Updated and improved several languages for the Status Bar code, and added Slovenian.
  • Fixed an issue in the internal updater window not showing proper language strings.
  • Fixed an issue where the unexpected use of "backface-visibility" on non-3D transformed elements (like the body) would break positioned elements on web pages.
  • Fixed text positioning in the combobox display area when a non-default height is set for the combobox.
  • Fixed a crash caused by bad Opus audio encoding in media files.
  • Fixed a crash when trying to measure memory in about:memory while playing video.
  • Fixed a rare crash in sLayersAccelerationPrefsInitialized
  • Fixed miscellaneous other crashes.
  • Fixed a DNS prefetching issue for the people using this feature.
  • Fixed an issue with single-word searches from the address bar when a proxy is in use.
  • Fixed a number of build issues on Linux when using system libs.
  • Added support for link-time optimization on newer Linux compilers.
  • Removed more telemetry code (ongoing project!).
Security fixes:
  • Fixed a memory safety bug due to a bad test in nsZipArchive.cpp (CVE-2015-2735).
  • Fixed a memory safety bug in nsZipArchive::BuildFileList (CVE-2015-2736).
  • Fixed a memory safety bug caused by an overflow in nsXMLHttpRequest::AppendToResponseText (CVE-2015-2740).
  • Fixed a Use After Free in CanonicalizeXPCOMParticipant (CVE-2015-2722).
  • Fixed off-main-thread nsIPrincipal use of various consumers in the tree (only grab the principal when needed).
  • Fixed an issue where an IPDL message was sent off the main thread.
  • Fixed a potentially exploitable TCPSocket crash due to a race condition.

25.5.0 (2015-06-10)

This is an important maintenance update with mostly under-the-hood changes.

  • Logjam fix: Refuse DHE keys with less than 1024 key bits
  • Search plugin updates to re-enable Google suggestions and reduce tracking (Squarefractal)
  • Allow plugin-specific (.dll based) OOPP overrides also for npswf. This will not be used for the "master switch" for OOPP and Flash will still be in the plugin container, unless a specific dom.ipc.plugins.enabled.npswf*.dll boolean is set to override.
  • Fixed a crash during WebGL Conformance Tests for undefined indices (Toady)
  • HSTS preload list updates (Squarefractal)
  • Status bar locale addition: cs
  • Implemented a fix for the toolkit update service so that the same version as the current application will not be offered as a valid update (Tobin)
  • Reorganized the AppMenu (give equal ease for windowed and tabbed browsing, deprioritize Sync)
  • Disabled the Sync promo box in doorhangers.
  • Updated libpng to version 1.5.22
  • Fixed support for builds using newer freetype on Linux. (Axiomatic)
  • Fixed --with-system-pixman builds. (Isaac Dunham)
  • Updated SQLite to version
  • Changed the after-upgrade page loaded to the release notes instead of the home page.
    (and hoping people actually do take a moment to read them, preventing unnecessary support requests)
  • Fixed navigator.geolocation - should never be null, to properly adhere to the specification (Travis)
  • Moved paintlock event delay to greprefs, and adjusted it for 2015's heavier sites
  • Fixed the about dialog scripting for pre-release builds (includes build date now as-intended and no longer errors the script)
  • Reorganized how pushed floats are handled in layout flow
  • Implemented a change to run the updater from the install directory instead of copying it.
  • Fixed transparency of the Pale Moon document icon for 256x256
  • Updated padlock code:
    - Added mixed-mode shading, and reorganized shading pref values more logically
    (0=off, 1=secure only, 2=secure+mixed, 3=all)
    - Cleaned up CSS
    - Cleaned up padlock logic a little
  • Hard-coded internal UA sniffing values for the extension legacy of devtools
  • Updated NSPR to 4.10.8
  • Updated the NSS security lib to 3.19-RTM + re-worked Pale Moon changes
  • Bumped the built-in site-specific UA compat mode overrides to v38
  • Fixed a compressed-cache crash due to losing our cache entry while finishing up compression.
  • Updated and patched libcubeb, the main media sound library, to fix a number of audio issues (e.g. when switching output device) and audio-related crashes
  • Added the option to load modules into a named scope (see issue #88)
  • Removed quick access keys for buttons on the updater window (since it may pop up unannounced when people are typing, causing them to make unintended choices)
  • Updated jemalloc and mozjemalloc memory allocator libraries to improve performance
  • Removed implicit access to a whole range of internally-used interfaces and classes that page content has no business calling anyway
  • Added a preference for always preferring a certain dictionary language.
    To use this, create a new preference spellchecker.dictionary.override (string) and set it to your language code.
More information about changes in this version that would be important for extension developers and web programmers can be found here.

Security fixes:
  • Fixes for miscellaneous memory safety hazards (relevant and applicable fixes from CVE-2015-2708 and CVE-2015-2709)
  • DiD (defense-in-depth) fix to prevent potential overflows in CSS restyling
  • Fix for updater hijacking (CVE-2015-2720)
  • Fix to prevent potential disclosure of sensitive information in Android logs (CVE-2015-2714)
  • Fix for a buffer overflow in the XML parser (CVE-2015-2716)
  • Fix for a potentially exploitable crash in DNS handling

Release notes for previous versions (unsupported)

You can find the release notes for previous releases of Pale Moon on the Archived Versions Release Notes page.

Halloween theme art by Laura Bevon
Site and contents © 2009-2016 Moonchild Productions - All rights reserved
Pale Moon is subject to the following licensing.
Policies: Cookies - User Content.