Pale Moon: Release notes
A major development update. Many things have changed in the media
back-end, but please understand that some things are still a work in
progress, and you may still encounter some html5 video playback issues
- Fixed up, checked and enabled vertical text writing modes!
Pale Moon will now be able to display vertical, right-to-left script.
- Added the option to reset non-default profiles.
- Fixed various issues in the WebP image decoder.
- Added internally-supported document types to allowed
- Fixed locale selection in ICU after update to ICU58.
Moon uses the system locale for date formatting, not the browser locale)
- Re-implemented the previous spellchecker dictionary logic
(allow user override of document/element language, improve logic and
make it unambiguous).
- Ongoing fixes for the MP4 parser and MSE.
- Made HTML Media Elements' preload attribute MSE-spec
The preload attribute on HTML media elements is now ignored in the case
of an MSE source. This prevents an issue with sourceopen not firing
- Fixed some issues with Windows WMF media playback.
- Fixed an issue with Synced preferences sometimes
overwriting stored individual preferences.
- Fixed display of RSS folder icons.
- Fixed issues with custom context menus.
- Fixed an issue importing bookmarks with separators losing
their extra data.
- Changed the way numeric addresses are handled in the
address bar so it doesn't perform a search when it shouldn't.
- Added an option (browser.sessionstore.cache_behavior)
control from which source restored tabs pull their page content:
0 = load restored tab data from cache (current behavior, default)
1 = refresh restored tab data from the network
2 = refresh stored tab data from the network and bypass any cached data.
- Improved upon a v27 performance regression with SVG scaling.
- Improved performance by being more selective which CSS
animations to process.
As a side-effect, elements changing their display from "none" to
something visible now also animate.
- Increased memory allocation for the use of very large PAC
- Added menu entries for the permissions manager and
improvements to its function and display.
- Added preferences to control "highlight all" behavior of
the find bar:
highlight all found words by default.
= true/false remember
the last-used state of Highlight All.
- Added devtools command-line options.
- Added remote IP and protocol to Devtools->Network entry
- Added support for
- Fixed a regression in the MSIE profile migrator.
- Removed migration of browser-specific settings when
migrating data from IE/Safari.
- Implemented optional parameters for permessage-deflate in
preparation for RFC7692 errata making acceptance of them mandatory (and
to prevent web compat issues due to the current conflicting text of it).
- Made the image document favicon skinnable.
- Aligned DOM selection addRange with the spec.
- Exposed mozAnon constructor js binding to system scopes for
- Updated NSS to 3.28.4-RTM to address a number of issues.
- Added support for RSA-AES(-GCM)-SHA256/384 suites to
- Reconfigured networking security: disabled static DHE
suites by default, enabled all RSA-AES(-GCM)-SHA256/384 suites in their
- Fixed referrer policy keyword to align with the current
spec ("cross-origin" vs "crossorigin").
- Added an option to display punycode domain for IDN websites
to combat phishing.
This is enabled by default for domain-validated https sites.
0 = Display IDN name in identity panel (previous behavior)
1 = Display punycode name for DV SSL domains (default)
2 = Also display punycode for HTTP sites if IDN name used
- Fixed an issue to prevent contacting remote servers when a
connection might get blocked.
- Fixed 3 public security flaws in libevent, which may affect
Mozilla-based products. DiD
- Fixed several memory- and thread-safety hazards.
- Fixed an address bar spoofing issue. (CVE-2017-5451)
- Fixed a potentially exploitable
crash with HTTP/2. (CVE-2017-5446)
- Fixed several security hazards in
XSLT processing. (CVE-2017-5438) (CVE-2017-5439)
- Fixed several security hazards in
old protocols. (CVE-2017-5444) (CVE-2017-5445)
- Fixed out-of-bounds access in text
- Fixed a potentially exploitable
issue with innerText. (CVE-2017-5442)
- Fixed a potentially exploitable
issue in graphite font shaping.
- Fixed a potentially exploitable
crash with credential-authentication.
- Fixed out-of-bounds access with
text selection in rare cases.
- Fixed a security hazard in the
This is a small update to fix some stability and usability issues.
- Fixed an issue with planar alpha handling (transparency)
when drawing JXR images.
introduced in 27.2.0.
This became apparent with the pentadactyl extension, but could happen
in other situations as well.
- Fixed a crash when opening ridiculously large images with
HQ scaling enabled (default).
Pale Moon will now only apply HQ scaling for images within reasonable
limits (64 Mpix or smaller). Images larger than that may not display
properly when zooming in, or may not display at all, even scaled down
(e.g. >256 Mpix large) and show a "broken image" placeholder
instead; please use dedicated image viewer applications for those kinds
of images; it is outside the scope of a web browser to handle such
- Changed the way URL hashes are handled, and will no longer
%-decode anchor hash identifiers by default.
Note that this is against RFC 3986, which states that any part of the
URL scheme that isn't data should be decoded.
This is required for web compatibility because several sites use hash
links to pass actual data to web applications (Please don't do this!
Hashes ar part of the URL address, should only consist of "safe"
characters, and aren't suited to pass arbitrary data) and the most
common browsers no longer follow the RFC in that respect.
If you want RFC compliance, switch dom.url.getters_decode_hash
- Restored 2 RSA Camellia cipher suites that were missing:
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA and TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
- Fixed an issue with custom toolbars getting deleted during
upgrade from 27.0/27.1 to 27.2
This is a major update to the browser with a focus on back-end
improvements and security.
- Updated the ICU lib to 58.2 to fix a number of issues.
- Added proper control for the user for offline storage for
- Added a check to prevent auto-filled URLs from copying the
auto-filled selection to clipboard/primary.
- Added the feature to pass a URL to open in a private window
from the command-line.
- Improved the display of the downloads indicator on the
button in bright-text situations.
- DOM storage now honors the "3rd party cookie" setting in
that it will not allow 3rd party data to be stored if 3rd party cookies
- Allowed toolbar button badges to be properly styled.
- Updated the hunspell spellchecking library to 1.6.0 to fix
a number of issues.
- Fixed desktop notifications being off-screen if fired in
- Added Element.insertAdjacentElement and
Element.insertAdjacentText DOM functions.
- Added support for JPEG-XR images.
This makes Pale Moon have the broadest support for image formats of all
(enabled by default; you can disable this with media.jxr.enabled).
- Completely removed the use of GStreamer on Linux.
- Added support for element.innerText.
- Custom toolbars should now properly remember their state.
- Fixed some more playback issues with MP4/MSE videos.
Please be aware that we are still working on further improving MSE
- Changed media processing to reduce dangerous processing
This should also make media elements and playback more responsive.
- Fixed a useragent string regression always displaying the
minor Goanna version as .0
- Updated NSPR to 4.13.1.
- Updated NSS to 3.28.3-RTM.
- Fixed unrestricted icon sizes in PMkit buttons.
- Fixed unresponsive buttons on support page when not
building the updater.
- Fixed the use of "View image" and "Save image as" on
extremely large images.
- Changed the way "View Image" and "Save image as" work on
- Made checking for dangerously large resolution PNG images
It will now accept larger "strip"-aspect ratio images while reducing
unsupported large image resolutions.
This will e.g. fix Gmail's "emoji" window that uses a ridiculously long
but very narrow single image to store all the emoticon pictures.
- Converted several hard-coded URLs to preferences.
- Updated the google.com override so it would not cripple
services based on UA sniffing.
- Added Inner and Outer Window ID administration.
- Fixed the add-on discovery pane detection.
- Added support for canvas ellipse.
- Improved drawing of certain MathML elements at problematic
- No longer building gamepad support.
- Updated Harfbuzz font shaper to 1.4.3 to fix a number of
- Fixed a number of crashes (layout, plugins, uncommon
navigation, bad URLs).
- Aligned SVG specular filters with the spec.
DiD This means that
the fix is "Defense-in-Depth": It is a fix that does not apply to a
(potentially) actively exploitable vulnerability in Pale Moon, but
prevents future vulnerabilities caused by the same code when
surrounding code changes, exposing the problem.
- Added support for 256-bit AES-GCM encryption.
- Added support for ChaCha20-Poly1305 encryption.
- Removed support for Camellia-GCM since nobody seems
interested in it.
(Camellia in 128/256-bit CBC block mode is still fully supported).
- Added support for SHA-224, SHA-256, SHA-384 and SHA-512 to
- Improved status handling of secure sites to be less
sensitive to "insecure" items that are local.
- Fixed print preview hijacking. (CVE-2017-5421)
- Fixed a potentially exploitable crash in OnStartRequest.
- Fixed potential cross-origin content-stealing through a
timing attack. (CVE-2017-5407) DiD
- Fixed a denial-of-service problem with view-source.
- Fixed crash in directional controls. (CVE-2017-5413)
- Fixed a perceived problem with chrome manifests.
- Fixed the use of an uninitialized value. (CVE-2017-5405)
- Fixed a buffer overflow. (CVE-2017-5412)
- Fixed a UAF situation. (CVE-2017-5403)
- Fixed a potential spoofing issue with the address bar.
- Fixed a potential issue in libvpx. (CVE-2017-5402) DiD
- Fixed a potential issue with HTTP auth. (CVE-2017-5418)
- Fixed several memory safety hazards and potentially
exploitable crashes. DiD
This is a small update adding a workaround for potential deadlocks
happening in media elements.
This is a stability and bugfix update to the browser.
- Implemented a fix in media handling to prevent crashes with
concurrent videos and/or rapidly starting/stopping video playback in
- Fixed the way the Adobe Flash plugin is detected to prevent
confusion with other plugins that identify themselves as "Flash" (e.g.
- Windows: Solved stability issues caused by the release
build process, resulting in unexpected behavior (e.g. hangups).
is a major update with lots of development and bugfixes. It also
introduces the so-called "PMkit" modules, our effort to restore
compatibility with Jetpack/SDK extensions and making it possible for
extension developers to convert their SDK extensions with little effort
to a Pale Moon compatible format. For more details please check
the PMkit documentation on the developer wiki.
- Reworked the media back-end completely (thanks Travis!) to
use FFmpeg (including support for FFmpeg v3 and MP3 playback) and our
own MP4 parser, and no longer relying on gstreamer on Linux, as well as
adding some improvements on Windows for media parsing and playing.
Linux, Apple .mov files of the correct type will also be played through
FFmpeg now, for those rare occasions where they are still in use,
considering there is no Quicktime plug-in available on that operating
- Restored the classic about:config styling.
- Added a fallback to US-ASCII if the autoconfig UTF-8
- Improved cross-compartment wrapper handling when managing a
large number of tabs (fixes a performance regression with v27).
- Changed the way audio and video synchronization is
calculated to account for (slow) device latency, preventing things from
getting out of sync on e.g. BlueTooth-connected speakers.
- Changed the way scripts are handled when they are stopped
from the "unresponsive script" dialog, to prevent browser lockup. We
will now stop all scripts in the affected compartment in one go.
- Fixed several errors in the devtools.
- Fixed a nasty crash caused by cross-origin referrers.
- Fixed the installer to allow 64-bit versions of the browser
to be installed on Vista again.
- Added HTML5-spec clipboard handling for content
(cut© only -- paste is not allowed for security reasons).
- Made multiple changes to the toolkit jetpack modules to
cater to PMkit extensions.
should make running SDK-based modules as PMkit extensions fairly simple
for extension developers. See the introductory text to these release
- Fixed a css layout issue: make max-width affect
contributions to intrinsic min-width.
- Implemented several updates to the permissions manager.
Among others, Improved the permissions manager (about:permissions) with
a more complete set of permissions for pages.
- Removed otherwise unused Metro browser platform/widget code.
- Removed support for non-standard/deprecated let blocks and
- Made the use of let as a keyword versionless and ES6
- Made the privacy category in preferences a tabbed setup to
better fit the current options.
- Fixed a regression preventing certain MP4 video files from
- Fixed a regression where seeking in media files would halt
playback/jump to the end of the stream.
- Fixed a crash caused by certain downloadable fonts with
DirectWrite in use.
- Improved downloads-button indicator legibility on some
combinations of Windows versions and system theme colors.
- Changed the Facebook user-agent override to be our native
one, based on reports from users that it is (finally) working
- Fixed site-specific useragents being ignored if a global
override is defined.
- Changed CORS handling to allow data: sources, assuming they
are same-origin. This should fix the infamous "Facebook endless reload"
issue and may make some other sites that assume this particular
(unspecified) CORS behavior happy with Pale Moon.
- Reinstated the network.stricttransportsecurity.enabled
preference so people who choose privacy over HSTS can do so again.
- Added, In HSTS "off" state, prevention of HSTS site status
from being written to disk.
- Updated the IDN blacklist with more extended unicode
characters that "look very similar to" normal ASCII characters, to
prevent spoofing of well-known domains. If blacklisted characters are
found, the IDN domain name will be displayed in its punycode form.
(CVE-2017-5383 and similar)
- Fixed an exploitable crash when using MP4 video.
- Fixed an exploitable crash in XSL parsing. (CVE-2017-5376)
- Fixed a potential security issue when exporting
certificates with specially-crafted credentials. (CVE-2017-5381)
- Fixed a potential use-after-free situation in frame
selection. (CVE-2017-5380) DiD
- Fixed a leak of window details through the Ion compiler in
- Fixed the potential for an exploitable crash involving
- Fixed a potential overflow situation in (non-released)
WebRTC code. DiD
- Fixed a potentially unsafe situation in websockets. DiD
- Fixed several memory and other safety hazards (BMO bugs
1318766, 1325877, 1328834 DiD,
1288561 DiD, 1322420 DiD, 1293327 DiD, 1322315, 1325344,
This is a bugfix and security update.
Security-related and crash fixes:
- Fixed certain network errors not displaying.
- Fixed network error page styling.
- Fixed the writing of DOM storage data to tabs (should solve
the "tabs not loading their contents" issue when migrating a profile
and some other situations).
- Disabled downloadable font unicode-ranges on non-Windows
- Added a Google Fonts user-agent override for non-Windows
platforms so they don't send unicode-ranged composite fonts (Feature
detection? Google apparently still doesn't know what that is).
- Re-enabled the reporting of CSS errors to the console by
default to prevent issues with some extensions who rely on this (e.g.
- Fixed and updated preferences for location bar suggestions.
- Fixed several x64-specific issues in memory allocation code
- Fixed timer issues when resuming a computer from stand-by
- Fixed a number of branding and textual issues in the
- Fixed prompting for the saving of off-line data (previously
always allowed without prompting).
- Fixed a layout regression that would cause block elements
following left floats to not wrap to the next line if there wasn't
- Fixed a mismatch in Firefox extension compatibility-mode
installation where Firefox extensions served by addons.mozilla.org
would be marked incompatible when trying to install.
DiD This means that the fix is
"Defense-in-Depth": It is a fix that does not apply to an actively
exploitable vulnerability in Pale Moon, but prevents future
vulnerabilities caused by the same code when surrounding code changes,
exposing the problem.
- Fixed use-after-free while manipulating DOM events and
removing audio elements (CVE-2016-9899).
- Fixed CSP bypass using the marquee tag (CVE-2016-9895).
- Fixed a vulnerability in the internal Jetpack modules
- Fixed use-after-free in Editor while manipulating DOM
- Fixed an error in the buffer logic in http-chunked decoder.
- Fixed a crash in generational GC code (not in use by
- Fixed a compartment mismatch bug in plug-in code
- Fixed a crash trying to get a nonexistent property.
- Improved MediaRecorder's observer safety.
- Fixed a crash related to document history.
This is a minor update to address usability and security issues:
- Enabled Firefox
Compatibility mode by default for the useragent string.
too many websites (and especially the big players who should know
better like Google, Apple and Microsoft) still require the "we must
be Firefox if we want this site to work" status quo to be
maintained, because people still insist on using useragent sniffing to
determine "browser features", or even worse, discriminate against free
choice of browser by flat-out refusing service (I'm looking at you,
banking industry and cloud services!) when visiting websites just
because companies don't
want to provide assistance to any but users on the main 3.
HTML offers plenty of ways
to do proper feature detection; site owners should use them.
Seriously people, it was a
bad idea 20 years ago, and it's a worse idea in 2016.
- The built-in devtools are
back, and with a facelift!
Thanks to some consistent community help, the built-in devtools, sorely
missed by a number of our users, are back. They've received a code and
style update and should be fully functional on the new platform. This
was originally planned for 27.1, but it was decided to include this as
soon as possible, not in the least to assist extension developers in
their efforts to adapt to Pale Moon 27.
- Security fix:
Fixed a crash in SVG, related to CVE-2016-9079, as a defense-in-depth
This is a bugfix release for some of the issues that popped up with the
- Fixed removal of distribution/bundles/ copies of status bar
code and ruby annotations code.
This should clean up everything on install/upgrade that currently
causes double code to create intermittent/odd behavior.
- Backed out some media back-end changes to fix MSE playback
on Twitch.tv and other similar sites.
- Disabled pop-up network status in full screen by default
(since video detection is rather iffy at the moment).
- Fixed a regression causing the "reset profile" button to
not appear in about:support on the default profile.
- Worked around bad Netflix interface changes - it will now
use a more compatible web UI.
Please note that these Netflix changes were unrelated to the actual
release of Pale Moon (26.5 is also affected).
- Aligned base status bar colors with default prefs.
- Fixed status bar options not being remembered.
an override for Amazon Prime videos so they won't stop us at the front
door any longer when not using the Firefox Compatibility user agent
- Re-applied proper branding text to in-app licensing.
After about 8 months of development, we now have a new milestone
release with literally too many changes to list even concisely. These
release notes will therefore only highlight the most important parts of
In this release we've done a full upgrade of our back-end platform,
meaning many things work different "under the hood" and you may run
into a number of extension compatibility issues as a result.
New and updated features:
- Support for DirectX 11 and Direct2d 1.1 on Windows. This
will bring Pale Moon more in line with the capabilities for current-day
operating systems and graphics hardware.
- Update of the Goanna engine to 3.0 - with many changes to
layout and rendering for the modern web.
- Pale Moon now fully supports HTTP/2.
- Ruby Annotations are now an integral part of the HTML
parser, controllable with CSS.
- Media Source Extensions have been implemented to solve many
video playback issues.
This can be enabled/disabled and configured in Options. It's
recommended at this time to not enable MSE for WebM since there are a
few issues with it on services like YouTube (e.g. losing audio when
- Support for reading and playing so-called "fragmented" MP4
files has been added, further solving media playback issues.
- Support for SSL/TLS connections to proxy servers.
- Support for the WOFF2 font format for downloadable fonts.
many landmark ECMAScript6 features (chief among them promises and
generators). This will solve many of the web compatibility issues that
people have started to run into in the past few months (e.g. webmail
interfaces, some sites coming up blank because they are
- The way web content is cached has been changed to be more
efficient. If you want to immediately take advantage of this, clear
- Removed support for Windows XP. If you are still running
Windows XP, then your only option is to continue using Pale Moon 26.
- Removed the internal PDF (pre)viewer. This module was not
maintained, was unable to display even half of the PDF documents
correctly, and could not reasonably remain included in the browser.
Please use a separate reader and/or install a PDF reader plugin.
- Disabled building of the devtools. They will not be
included in release versions of Pale Moon from this point forward. If
you are a web developer or otherwise need those tools, fear not! They
are available as a browser
- Removed the active XSS filter. This feature, although
effective, was prone to some instability and needs to be rewritten for
the update of our platform. It may or may not return in the future,
depending on whether the original author has time to rewrite parts of
this filter implementation.
- Removed support for Add-on SDK extensions (JetPack
extensions), considering the Mozilla/Gecko SDK is no longer compatible
with our combination of application and platform code.
Other important notes:
- All relevant security fixes up to and including Firefox 50
have been ported across from Mozilla to continue to provide an as
secure as possible browser.
- Several libraries have been updated to their latest
versions to pick up any important vulnerability fixes.
- There's a new option and control to determine whether to
save zone information (marking files as "downloaded from the Internet")
on downloaded files (Windows+NTFS). You can find this in Options.
first upgrading your browser to v27, your profile will be migrated to
the new format for the browser. This is a one-time conversion and
unfortunately this migration can cause some issues. Please see the forum FAQ
for more details.
- Pale Moon 27 will initially only be available in English.
We are working on getting localization done to have language packs
available over time.
Important: You can not use the previous language packs since
many strings have changed. Trying to do so will likely prevent the
browser from starting or functioning. Pale Moon will automatically
disable language packs for the previous version, but if you have
explicitly disabled add-on compatibility checking you may run into
- We will continue to fully support the following:
- NPAPI plugins
- Extensions with binary/XPCOM components
- XUL/Overlay and bootstrapped extensions
- Complete themes
- Unsigned and author-signed extensions
- The Camellia
encryption cipher (also in GCM mode)
- Graphite font shaping
- Sync 1.1 (albeit without support for syncing add-ons)
- Full customization of the UI as before
Release notes for previous versions (unsupported)
You can find the release notes for previous releases of Pale Moon on
the Archived Versions Release