Pale Moon: Release notes
is a major update with lots of development and bugfixes. It also
introduces the so-called "PMkit" modules, our effort to restore
compatibility with Jetpack/SDK extensions and making it possible for
extension developers to convert their SDK extensions with little effort
to a Pale Moon compatible format. For more details please check the PMkit documentation on the developer wiki.
- Reworked the media
back-end completely (thanks Travis!) to use FFmpeg (including support
for FFmpeg v3 and MP3 playback) and our own MP4 parser, and no longer
relying on gstreamer on Linux, as well as adding some improvements on
Windows for media parsing and playing.
Linux, Apple .mov files of the correct type will also be played through
FFmpeg now, for those rare occasions where they are still in use,
considering there is no Quicktime plug-in available on that operating
- Restored the classic about:config styling.
- Added a fallback to US-ASCII if the autoconfig UTF-8 conversion fails.
- Improved cross-compartment wrapper handling when managing a large number of tabs (fixes a performance regression with v27).
the way audio and video synchronization is calculated to account for
(slow) device latency, preventing things from getting out of sync on e.g. BlueTooth-connected speakers.
the way scripts are handled when they are stopped from the
"unresponsive script" dialog, to prevent browser lockup. We will now
stop all scripts in the affected compartment in one go.
- Fixed several errors in the devtools.
- Fixed a nasty crash caused by cross-origin referrers.
- Fixed the installer to allow 64-bit versions of the browser to be installed on Vista again.
- Added HTML5-spec clipboard handling for content (cut© only -- paste is not allowed for security reasons).
- Made multiple changes to the toolkit jetpack modules to cater to PMkit extensions.
should make running SDK-based modules as PMkit extensions fairly simple
for extension developers. See the introductory text to these release
- Fixed a css layout issue: make max-width affect contributions to intrinsic min-width.
several updates to the permissions manager. Among others, Improved the
permissions manager (about:permissions) with a more complete set of
permissions for pages.
- Removed otherwise unused Metro browser platform/widget code.
- Removed support for non-standard/deprecated let blocks and expressions.
- Made the use of let as a keyword versionless and ES6 compliant.
- Made the privacy category in preferences a tabbed setup to better fit the current options.
- Fixed a regression preventing certain MP4 video files from playing.
- Fixed a regression where seeking in media files would halt playback/jump to the end of the stream.
- Fixed a crash caused by certain downloadable fonts with DirectWrite in use.
- Improved downloads-button indicator legibility on some combinations of Windows versions and system theme colors.
the Facebook user-agent override to be our native one, based on reports
from users that it is (finally) working acceptably.
- Fixed site-specific useragents being ignored if a global override is defined.
This means that the fix is "Defense-in-Depth": It is a fix that does
not apply to a (potentially) actively exploitable vulnerability in Pale
Moon, but prevents future vulnerabilities caused by the same code when
surrounding code changes, exposing the problem.
CORS handling to allow data: sources, assuming they are same-origin.
This should fix the infamous "Facebook endless reload" issue and may
make some other sites that assume this particular (unspecified) CORS
behavior happy with Pale Moon.
- Reinstated the network.stricttransportsecurity.enabled preference so people who choose privacy over HSTS can do so again.
- Added, In HSTS "off" state, prevention of HSTS site status from being written to disk.
the IDN blacklist with more extended unicode characters that "look very
similar to" normal ASCII characters, to prevent spoofing of well-known
domains. If blacklisted characters are found, the IDN domain name will
be displayed in its punycode form. (CVE-2017-5383 and similar)
- Fixed an exploitable crash when using MP4 video. (CVE-2017-5396)
- Fixed an exploitable crash in XSL parsing. (CVE-2017-5376)
- Fixed a potential security issue when exporting certificates with specially-crafted credentials. (CVE-2017-5381)
- Fixed a potential use-after-free situation in frame selection. (CVE-2017-5380) DiD
- Fixed a leak of window details through the Ion compiler in certain situations.
- Fixed a potential overflow situation in (non-released) WebRTC code. DiD
- Fixed a potentially unsafe situation in websockets. DiD
- Fixed several memory and other safety hazards (BMO bugs 1318766, 1325877, 1328834 DiD, 1288561 DiD, 1322420 DiD, 1293327 DiD, 1322315, 1325344, 1285960).
This is a bugfix and security update.
Security-related and crash fixes:
- Fixed certain network errors not displaying.
- Fixed network error page styling.
- Fixed the writing of DOM storage data to tabs (should solve
the "tabs not loading their contents" issue when migrating a profile
and some other situations).
- Disabled downloadable font unicode-ranges on non-Windows platforms.
- Added a Google Fonts user-agent override for non-Windows
platforms so they don't send unicode-ranged composite fonts (Feature
detection? Google apparently still doesn't know what that is).
- Re-enabled the reporting of CSS errors to the console by
default to prevent issues with some extensions who rely on this (e.g.
- Fixed and updated preferences for location bar suggestions.
- Fixed several x64-specific issues in memory allocation code (regression fix).
- Fixed timer issues when resuming a computer from stand-by (regression fix).
- Fixed a number of branding and textual issues in the browser.
- Fixed prompting for the saving of off-line data (previously always allowed without prompting).
- Fixed a layout regression that would cause block elements
following left floats to not wrap to the next line if there wasn't
- Fixed a mismatch in Firefox extension compatibility-mode
installation where Firefox extensions served by addons.mozilla.org
would be marked incompatible when trying to install.
DiD This means that the fix is "Defense-in-Depth": It is a fix that does not
apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by
the same code when surrounding code changes, exposing the problem.
- Fixed use-after-free while manipulating DOM events and removing audio elements (CVE-2016-9899).
- Fixed CSP bypass using the marquee tag (CVE-2016-9895).
- Fixed a vulnerability in the internal Jetpack modules (CVE-2016-9903). DiD
- Fixed use-after-free in Editor while manipulating DOM subtrees (CVE-2016-9898).
- Fixed an error in the buffer logic in http-chunked decoder.
- Fixed a crash in generational GC code (not in use by default) DiD
- Fixed a compartment mismatch bug in plug-in code
- Fixed a crash trying to get a nonexistent property.
- Improved MediaRecorder's observer safety.
- Fixed a crash related to document history.
This is a minor update to address usability and security issues:
- Enabled Firefox Compatibility mode by default for the useragent string.
too many websites (and especially the big players who should know
better like Google, Apple and Microsoft) still require the "we must pretend to
be Firefox if we want this site to work" status quo to be
maintained, because people still insist on using useragent sniffing to
determine "browser features", or even worse, discriminate against free
choice of browser by flat-out refusing service (I'm looking at you,
banking industry and cloud services!) when visiting websites just because companies don't
want to provide assistance to any but users on the main 3.
HTML offers plenty of ways to do proper feature detection; site owners should use them.
Seriously people, it was a bad idea 20 years ago, and it's a worse idea in 2016.
- The built-in devtools are back, and with a facelift!
Thanks to some consistent community help, the built-in devtools, sorely
missed by a number of our users, are back. They've received a code and
style update and should be fully functional on the new platform. This
was originally planned for 27.1, but it was decided to include this as
soon as possible, not in the least to assist extension developers in
their efforts to adapt to Pale Moon 27.
- Security fix:
Fixed a crash in SVG, related to CVE-2016-9079, as a defense-in-depth measure.
This is a bugfix release for some of the issues that popped up with the new milestone.
- Fixed removal of distribution/bundles/ copies of status bar code and ruby annotations code.
This should clean up everything on install/upgrade that currently causes double code to create intermittent/odd behavior.
- Backed out some media back-end changes to fix MSE playback on Twitch.tv and other similar sites.
- Disabled pop-up network status in full screen by default (since video detection is rather iffy at the moment).
- Fixed a regression causing the "reset profile" button to not appear in about:support on the default profile.
- Worked around bad Netflix interface changes - it will now use a more compatible web UI.
Please note that these Netflix changes were unrelated to the actual release of Pale Moon (26.5 is also affected).
- Aligned base status bar colors with default prefs.
- Fixed status bar options not being remembered.
an override for Amazon Prime videos so they won't stop us at the front
door any longer when not using the Firefox Compatibility user agent
- Re-applied proper branding text to in-app licensing.
After about 8 months of development, we now have a new milestone
release with literally too many changes to list even concisely. These
release notes will therefore only highlight the most important parts of
In this release we've done a full upgrade of our back-end platform,
meaning many things work different "under the hood" and you may run
into a number of extension compatibility issues as a result.
New and updated features:
- Support for DirectX 11 and Direct2d 1.1 on Windows. This
will bring Pale Moon more in line with the capabilities for current-day
operating systems and graphics hardware.
- Update of the Goanna engine to 3.0 - with many changes to layout and rendering for the modern web.
- Pale Moon now fully supports HTTP/2.
- Ruby Annotations are now an integral part of the HTML parser, controllable with CSS.
- Media Source Extensions have been implemented to solve many video playback issues.
This can be enabled/disabled and configured in Options. It's
recommended at this time to not enable MSE for WebM since there are a
few issues with it on services like YouTube (e.g. losing audio when looping/skipping).
- Support for reading and playing so-called "fragmented" MP4 files has been added, further solving media playback issues.
- Support for SSL/TLS connections to proxy servers.
- Support for the WOFF2 font format for downloadable fonts.
many landmark ECMAScript6 features (chief among them promises and
generators). This will solve many of the web compatibility issues that
people have started to run into in the past few months (e.g. webmail
interfaces, some sites coming up blank because they are
- The way web content is cached has been changed to be more
efficient. If you want to immediately take advantage of this, clear
- Removed support for Windows XP. If you are still running Windows XP, then your only option is to continue using Pale Moon 26.
- Removed the internal PDF (pre)viewer. This module was not
maintained, was unable to display even half of the PDF documents
correctly, and could not reasonably remain included in the browser.
Please use a separate reader and/or install a PDF reader plugin.
- Disabled building of the devtools. They will not be
included in release versions of Pale Moon from this point forward. If
you are a web developer or otherwise need those tools, fear not! They
are available as a browser extension.
- Removed the active XSS filter. This feature, although
effective, was prone to some instability and needs to be rewritten for
the update of our platform. It may or may not return in the future,
depending on whether the original author has time to rewrite parts of
this filter implementation.
- Removed support for Add-on SDK extensions (JetPack
extensions), considering the Mozilla/Gecko SDK is no longer compatible
with our combination of application and platform code.
Other important notes:
- All relevant security fixes up to and including Firefox 50
have been ported across from Mozilla to continue to provide an as
secure as possible browser.
- Several libraries have been updated to their latest versions to pick up any important vulnerability fixes.
- There's a new option and control to determine whether to
save zone information (marking files as "downloaded from the Internet")
on downloaded files (Windows+NTFS). You can find this in Options.
first upgrading your browser to v27, your profile will be migrated to
the new format for the browser. This is a one-time conversion and
unfortunately this migration can cause some issues. Please see the forum FAQ for more details.
- Pale Moon 27 will initially only be available in English.
We are working on getting localization done to have language packs
available over time.
Important: You can not use the previous language packs since
many strings have changed. Trying to do so will likely prevent the
browser from starting or functioning. Pale Moon will automatically
disable language packs for the previous version, but if you have
explicitly disabled add-on compatibility checking you may run into
- We will continue to fully support the following:
- NPAPI plugins
- Extensions with binary/XPCOM components
- XUL/Overlay and bootstrapped extensions
- Complete themes
- Unsigned and author-signed extensions
- The Camellia encryption cipher (also in GCM mode)
- Graphite font shaping
- Sync 1.1 (albeit without support for syncing add-ons)
- Full customization of the UI as before
Release notes for previous versions (unsupported)
You can find the release notes for previous releases of Pale Moon on the Archived Versions Release Notes page.