Pale Moon - Your browser, Your way

Pale Moon: Release notes

25.3.1 (2015-03-25)

This is a security update to the browser to address a critical vulnerability found in the pwn2own contest. Only one vulnerability found in this contest applies to Pale Moon, which has been addressed in this update.

Fixes/changes:
  • Fixed security vulnerability CVE-2015-0818. This vulnerability would allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving SVG hash navigation.
  • Fixed IPv6 DNS resolution regression in some less common cases.

25.3.0 (2015-03-13)

This is an important update to improve features and performance, as well as address important security issues.

Fixes/changes:
  • Overhauled WebGL. It now properly supports depth textures, shadow mapping and glow shaders.
    Note that older operating systems or older/embedded video processors may be limited in their support of these features.
  • Updated the ANGLE library to a much more current version.
  • Removed the crash reporter code completely to improve overall browser responsiveness and operation.
    Please note that a necessary victim of this has been the in-browser (devtools) SPS profiler because of its reliance on crash reporter data-gathering tools.
  • Removed the Mozilla Plugin Finder Service (no longer in use @Mozilla).
  • Android: removed the Mozilla "product announcements" service.
  • Re-added control of the number of concurrent tabs to be restored from a session with browser.sessionstore.max_concurrent_tabs (accepted values 1-10)
  • Significantly improved performance and accuracy of date/time/timer handling.
  • Significantly improved performance of the creation of DOM elements with plain text content.
  • Added several significant performance optimizations for arrays and strings in javascript.
  • Added several code performance optimizations and bugfixes in SVG, the presentation shell, SCTP, style gradients and CSS parsing routines. (Thanks, Axiomatic!)
  • Added an "Open link in current tab" context menu entry on links for UI consistency.
  • Updated styling of the browser with personas (lightweight themes) once more to improve display in tabs-on-top mode, improve overall legibility of tab text, and display of inverted close buttons on some controls on dark personas.
  • Added a special case check for the Flash plugin version check on Linux failing due to commas instead of periods in the version string.
  • Added Windows 10 compatibility in executable manifests.
  • Android: Fixed a crash on GL canvas surfaces.
  • Fixed incorrect Sync "howto" instruction links from the Sync dialogs.
  • Fixed the color of selected tabs in Linux when personas (lightweight themes) are in use that do not match the overall tone of the OS system theme.
  • Fixed a bug where a variable in parentheses would abort Javascript parsing.
  • Fixed a bug where the address bar would incorrectly be cleared.
  • Fixed padding issues for dropdown lists.
  • Fixed DNS lookups so proper record types are requested for IPv4 and IPv6.
Security fixes:
  • Disabled all RC4-based encryption ciphers by default. [More info]
  • Fixed several miscellaneous memory safety hazards.
    (applicable bugs related to CVE-2015-0835 and CVE-2015-0836)
  • Fixed loading of locally stored DLL files through the internal updater. (CVE-2015-0833)
  • Fixed a potential crash point in IndexedDB. (CVE-2015-0831) DiD
  • Fixed a double-free situation when using non-default memory allocators and a 0-length XHR. (CVE-2015-0828)
    Note: production builds of Pale Moon were never vulnerable.
  • Fixed a crash using DrawTarget in the Cairo graphics library. (CVE-2015-0824)
  • Fixed potential reading of local files through manipulation of form autocomplete. (CVE-2015-0822)
  • Fixed a potential PNG heap-overflow crash. DiD
  • Followed up on research regarding CVE-2014-8639 (see 25.2) and made cookie handling through proxies more restrictive again.
DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.

25.2.1 (2015-01-27)

This is a small update to address cookie handling through proxies causing issues for some authenticating proxies in corporate environments.

25.2.0 (2015-01-15)

This is an important update after rapid development on the back-end to extend browser capabilities and implement some ES6 draft functions for web programmers, as well as provide some important crashfixes, bugfixes and security updates.

Fixes/changes:
  • ES6: Added the following functions:
    • Array.prototype.find and Array.prototype.findIndex
    • IsConstructor(arg)
    • Array.of(items...)
    • Number.parseInt and Number.parseFloat
    • Advanced math functions: hyperbolic sin/cos/tan/asin/acos/atan, hypotenuse, cube root, expm1, log1p, log10, log2, sign and trunc
    • Map.prototype.forEach and Set.prototype.forEach
  • ES6: Added the following number constants: EPSILON, MIN_SAFE_INTEGER and MAX_SAFE_INTEGER
  • ES6: Added the use of binary and octal numeric literals (&b... and &o...)
  • ES6: Updated behavior of accessing indexed values in accordance with the spec.
  • CSS: Added overflow-clip-box:content-box|padding-box
  • DOM: Added table.createTBody() function
  • Added a clearer alltabs button for dark personas.
  • Added a development tools toggle hotkey (F12)
  • Added a preference prompts.tab_modal.focusSwitch to enable or disable tab switching when a modal dialog (e.g. javascript confirmation) is presented in a page.
  • IonMonkey on Android: fixed the implementation of AbsI.
  • IonMonkey: fixed a bug where actively used objects were discarded.
  • Fixed register initialization to prevent incorrect detection of SIMD instructions on some CPUs.
  • Optimized some loops in the spell checker to increase performance.
  • Simplified cache handling, updated cache parameters to better reflect current web use, and enabled automatic cache sizing by default.
  • Adjusted memory cache sizing to better reflect capacities of current hardware.
  • Updated UserAgent override workarounds for Netflix and FaceBook to fix some site issues.
  • Aligned programmatic access to geolocation with the spec.
  • Fixed a crash when being fed a data file (XML) with too deeply nested tags.
  • Fixed a crash in HTML5/WebAudio that affected some games.
  • Fixed a crash when programmatically collapsing elements.
  • Fixed a few non-breaking bugs related to e10s code.
  • Fixed text input/padding issues.
  • Updated surround downmixing code for Vorbis.
  • Improved tolerance in WebAudio for loading multichannel audio files.
  • Android: Fixed an issue with Flash, it should now run on more devices.
  • Updated the DDG search plugin to make the actual query be the last parameter in the address bar for easy editing after a search has been performed.
  • Removed some unused update channel code.
  • Updated branding to more clearly indicate Pale Moon's trademark.
  • Updated some licensing texts in-browser to properly reflect used code and rights.
Security/privacy fixes:
  • Added a preference network.stricttransportsecurity.enabled to enable or disable the use of HSTS (HTTP Strict Transport Security), allowing users to choose between privacy and security in this matter. (hidden pref)
  • Fixed CVE-2014-1589 by whitelisting XBL bindings that may be applied to untrusted content.
    Important: extension developers should read this related thread.
  • Fixed CVE-2014-1593.
  • Mac: fixed CVE-2014-1595.
  • Fixed CVE-2014-8639 by adjusting cookie handling through proxies.
  • Fixed CVE-2014-8636.
  • Fixed several memory safety hazards that do not have CVE numbers.

25.1.1 (2014-11-28) Android only!

This point release for Android only addresses critical browser issues (crash on startup) when trying to run Pale Moon on Android 5.0 (AKA Android-L or Lollipop). No other changes involved in this release.

25.1.0 (2014-11-14)

This is an important update after rapid development on the back-end to keep pace with the current changes on the web and improve compatibility with websites.

Fixes/changes:
  • New feature: multi-line flexbox support.
    Pale Moon now supports more advanced multi-line and multi-column flex elements. This will allow websites to use these elements for easier responsive design of web pages and ordering/layout of multiple elements. This has been on Pale Moon's to-do list for a while but was rather complex to tackle, hence the delay in implementation. This should address layout issues on several recently-updated websites (e.g. the MSN home page).
  • New feature: added support for collapsed flex element items.
  • Enhanced feature: Content Security Policy (CSP)
    Pale Moon now fully supports the CSP 1.0 specification allowing websites to set restrictions on content to prevent XSS (Cross-site scripting) attacks. Previously, the implementation in Pale Moon was partial, and did not support a number of features, resulting in some websites not rendering properly because Pale Moon was being too strict in enforcing the policy. This should address issues on websites enforcing CSP (e.g. the Dropbox web interface and FaceBook galleries).
  • New feature: added support for iframes with inline content.
  • Updated the Firefox Compatibility mode version to 31.9.
    With the improvements in rendering and overall feature set, the Firefox Compatibility mode (as presented in the UserAgent string) has been bumped to prevent websites from complaining about "using a too old/unsupported version of Firefox" (e.g. Google websites).
  • Pale Moon no longer builds the so-called "media navigator" by default.
    This module provides access to the user's webcam and microphone. Although it can be used for other purposes, in practice this is only used for WebRTC and, in fact, its support (GetUserMedia) is often mistaken for actually supporting WebRTC in a browser (causing errors since Pale Moon does not support WebRTC). No longer including these features reduces input complexity and overhead for a feature not actively used. This also circumvents privacy concerns/confusion like CVE-2014-1586.
  • Improved tab handling on lightweight themes (personas) some more to enhance contrast on certain themes and to make the tab hover effect slightly more distinct.
  • Fixed oversized/blocky menu arrows on Windows 8.1 in HiDPI mode.
  • Fixed incorrect operating system being passed on to addons.mozilla.org.
  • Fixed an error being thrown in the error console/web console when opening a new window.
  • Removed the NVidia 3D Vision auxiliary utility library.
    This library has been the likely cause for a number of crashes on NVidia cards, and is completely unnecessary for Pale Moon.
  • Made the installer less aggressive for file type associations, to prevent "stealing" of globally associated file types.
  • Android: improved restoring of session tabs.
  • Android: added an option to automatically restore tabs.
    An important thing to note with this new option is the following: with the option enabled, Pale Moon will now automatically restore tabs you had open previously when the app gets suspended (pushed out of memory by other apps, closed by swipe, etc.). The "quit" main menu option, however, completely shuts down your session, unloads Pale Moon from active memory, and tabs will not be automatically restored when you launch Pale Moon again. This is by design. To restore tabs in that situation, use the link from the home screen.
  • Fixed memory security hazards CVE-2014-1574 and CVE-2014-1575 security fix
  • Fixed CVE-2014-1581. security fix
  • Fixed bug 1069584: Bail if a cairo surface is in an invalid state. security fix
  • Made sure to initialize surfaces for draw targets. security fix
  • Fixed CVE-2014-1594: Use AsContainerLayer() in order to avoid a bad cast. security fix
  • Fixed several problems in the HTML parser. security fix
  • Improved security of XHR by filtering out types of requests that can potentially be abused. security fix

25.0.2 (2014-10-24)

This is a small update to address a number of teething problems with the new milestone release.

Fixes/changes:
  • Added a "Firefox compatibility mode" selection in Options -> Advanced.
    This mode is enabled by default (reluctantly so), because too many websites (including some very big players who, themselves, promote an Open Web...) still use very poor browser detection methods based on arbitrary User Agent string comparisons, not catering to alternative browsers, and the resulting user experience being poor (being presented with mobile site layouts, broken pages, or even being flat-out refused service because someone exercises freedom of choice for web browser used). This should alleviate most, if not all, issues with browser-discriminating websites.
  • Improved active tab display on particularly dark personas.
    People using "black" personas/lightweight themes should now have a lot less difficulty distinguishing the active tab.
  • Disabled SSL 3.0 by default (to put a muzzle on the POODLE).
    Please note that this may cause issues with some poorly configured web servers (usually ones with a hopelessly broken security setup that do not support TLS 1.2 or secure (re)negotiation of the protocol).
  • Fixed add-on update issue (that was preventing update checking through addons.palemoon.org).
  • Fixed the redundant redundancy in asking redundantly if the browser would be allowed to ask to install an extension when not on addons.mozilla.org.
  • Fixed the internal UA-sniffing insanity that broke devtools in a few different and colorful ways.

25.0.1 (2014-10-15)

This is a small update to address an important Jetpack extension compatibility issue and includes a number of security fixes.

Fixes/changes:
  • Update of the add-on SDK to add missing "Pale Moon" engine entries to lists. This should fix extension compatibility issues for jetpack extensions that otherwise already work with the new GUID.
  • About box release notes link corrected
  • Fix for VP9 decoder vulnerability security fix
  • Fix for direct access to raw connection sockets in http security fix
  • Fix for unsafe conversion to JSON of data through the alarm dom element security fix
  • Update of NSS to 3.16.2.2-RTM security fix

25.0.0 (2014-10-10)

Pale Moon 25.0 is a new major release with a large number of changes. A summary of the most important changes can be found here; for more details about this release, please check the forum.

Fixes/changes:
  • Change of the browser's GUID (Globally Unique Identifier) to properly differentiate from Firefox.
    The new GUID is {8de7fcbb-c55c-4fbe-bfc5-fc555c87dbc4}.
  • Allow extensions with both Pale Moon GUID and Firefox GUID to be installed natively (dual-ID system).
    Pale Moon GUID blocks will have preference over Firefox (compatibility) blocks.
  • Disconnect of Pale Moon's "Firefox compatibility" version from Pale Moon's application version to maintain Firefox 24.* extension compatibility regardless of Pale Moon version.
  • Disable Firefox Compatibility mode by default.
    This means Pale Moon will no longer have a Firefox/xx.xx indicator in its UserAgent string.
    This may impact some websites that check browsers by UserAgent and possibly warn, complain or block you. You should contact the site's owners and request support for Pale Moon. Pale Moon will allow you to override the UserAgent on a per-site basis if you absolutely must visit the site and they absolutely won't cater to your freedom of browser choice.
  • Use the alternative sync implementation on a new server.
    Current Pale Moon sync accounts cannot be ported over, so you will have to create a new account when updating to v25.
    The previous server implementation has already been shut down due to continued issues, and will be retired on the very short term to free up infrastructure and reduce expenses. The alternative sync implementation is Sync 1.1 compatible, like before.
  • Stop building the WebApp runtime by default.
    The use of "Web Applications" started from the command-line is such a niche feature that it has no business being in Pale Moon's main-line builds.
    If you need the WebApp runtime for your specific organization and want to use Pale Moon, you can build Pale Moon from source with the feature enabled.
  • Stop supporting Windows XP. As mentioned a few times before, Pale Moon's support for Windows XP (and any other NT 5.x based operating system) has now ended. An exception to this is the specialized Atom build because of limited operating system availability on netbooks and the like. More details on the dedicated page for this change.
  • By default, do not sync add-ons.
    Syncing between different devices will likely not want you to sync the add-ons in use. There's a reason you're using different devices, after all.
  • Un-prefix CSS box-sizing.
    You can now use box-sizing:border-box, box-sizing:padding-box and box-sizing:content-box to switch box-sizing mode on elements using CSS.
  • Implement image-orientation in CSS.
    You can now use image-orientation: {angle} [flip] in CSS to rotate images in 90 degree steps and optionally flip them.
  • Improve bookmark menu item-dragging.
    Dragging bookmarks in the bookmarks menu is now more convenient (allow diagonal dragging, prevent tooltips from interfering, etc.).
    (Fixes bugs 225434, 419911 and 555474)
  • Move the option to "use the classic downloads window" from status bar preferences to the main options window.
    This way, it's easier for people to find and it's in a much more logical place. The classic downloads window will not go away any time soon in Pale Moon.
  • Update branding images for official/unofficial logo, and some about: pages.
  • Add a new type of "blank new tab" page with logo-styling.
    This logo page will be the default setting (instead of about:blank).
  • Add Opus audio to WebM.
  • Add VP9 codec to WebM on both desktop and Android/ARM.
  • Allow absolute-in-relative positioning in table and CSS table-cell elements.
  • Allow the user to override the use of accessibility colors in the browser with browser.display.ignore_accessibility_theme
  • Improve the display of tabs when lightweight themes (personas) are in use for both light and dark themes.
  • Enable cache compression by default to more efficiently use disk cache.
  • When shutting down the browser while you still have downloads in progress, Pale Moon will now by default warn you that the downloads will be cancelled.
  • Added language packs for Acholi, Assamese, Kashubian, Pulaar Fulfulde, Armenian, Khmer, Ligure, Mongolian, and Swahili.
Bug/regression fixes:
  • Prevent error in removeobserver() for the padlock code when closing a window
  • Hang fix: Release XPCOM timer immediately after firing to prevent a race condition. (CVE-2014-1553)
  • Android & any ARM processor: Always use integers for audio instead of floats.
  • Properly apply the use of high contrast themes on Windows 8/8.1
  • Prevent the accumulation of hidden about:blank windows in some situations.
  • Android: prevent deadlocks due to invalidations when using plugins (Flash)
  • Re-enable high-quality downscaling of particularly large images (selective HQ downscaling) and improve fast image scaling method (use Lanczos instead of Hamming)
  • Hang/DoS fix: Avoid uninterruptable infinite loops in IonMonkey in some situations. (CVE-2014-1548)
  • Android: improve the handling of zooming to input fields
Security fixes:
  • Properly derive/insert the host of a URL
  • Avoid negative audio ratios (can lead to crashes) (CVE-2014-1565)
  • Avoid some root hazards in the style parser
  • Add is-object check to IonBuilder::makeCallHelper (CVE-2014-1562)
  • Clear the jumplist icon cache when history is cleared (privacy fix)
  • Crash fix on Windows (JS JIT) (CVE-2014-1554)
  • Prevent buffer overrun in text directionality component (CVE-2014-1567)
  • Update NSS to 3.16.2.1-RTM (CVE-2014-1568)

Release notes for previous versions (unsupported)

You can find the release notes for previous releases of Pale Moon on the Archived Versions Release Notes page.

Firefox, Mozilla Firefox and Mozilla are registered trademarks of the Mozilla Corporation.
The Pale Moon product/project names and logo are a trademark™ of Moonchild Productions.
Site and contents © 2009-2015 Moonchild Productions - All rights reserved
Pale Moon's distribution is subject to the following redistribution license