Pale Moon: Release notes
DiD This means that
a fix is "Defense-in-Depth": It is a fix that does not apply to a
(potentially) actively exploitable vulnerability in Pale Moon, but
prevents future vulnerabilities caused by the same code, e.g. when
surrounding code changes, exposing the problem, or when new attack
vectors are discovered.
This is a development and security update to the browser.
Note for Linux users:
With CentOS 6 going end-of-life, this version will be the last for
which we will be building 32-bit Linux official binaries to download.
While your distribution may choose to continue offering 32-bit versions
of the browser, built from source by the maintainers, we won't be
offering any further official 32-bit Linux binaries on our website.
Please check with your distribution's package maintainers to know if
further 32-bit support will be available on your particular flavor of
- Aligned CSS
tab-size with the specification
and un-prefixed it.
- Updated Brotli library to 1.0.9.
- Updated JAR lib code.
- Optimized UI code, resulting in smaller downloads and less
space consumed on disk.
- Changed the default Firefox Compatibility version number to
68.0 (since versions ending in .9 makes
some frameworks unhappy, refusing access to users)
- Cleaned up HPKP leftovers.
- Disabled the DOM filesystem API by default.
- Removed Phone Vibrator API.
- Fixed an issue where the software uninstaller would not
remove the program files it should.
- Fixed a devtools crash related to timeline snapshots.
- Fixed an issue in Skia that could cause unsafe memory
- Fixed several data race conditions. DiD
- Fixed an XSS vulnerability where scripts could be executed
when pasting data into on-line editors.
- Linux: Fixed an overflow issue in freetype.
- Security issues addressed: CVE-2020-26960, CVE-2020-26951,
CVE-2020-26956, CVE-2020-15999 and several others that do not have a
- Unified XUL Platform Mozilla Security Patch Summary: 4
fixed, 4 defense-in-depth, 3 rejected, 20 not applicable.
- Windows binaries should all be properly code-signed again.
- The uninstaller issue might only appear if you have not
used the internal updater to update the browser after installation.
- The DOM Filesystem and dir picker APIs are, in practice,
not used on websites. We've disabled these web-exposed APIs because
they are not entirely without potential risk, and intend to remove them
in a future version unless there is a demonstrable need to keep them as
optional (unsupported) APIs in the platform.
- One of the rejected security patches deals with entering a
single word in the address bar. Standard browser behavior in that
situation is for browsers to do a normal network lookup of that word in
case it is a LAN machine name (other browsers also do this) which may
"leak" your entered search term to the LAN. If you want to avoid this,
please always use the search box for
entering web searches, as it's unambiguous what to do with
single words in that case.
This is a standard development and bugfix release.
- Implemented support for CSS
- Implemented support for un-prefixed
- Fixed another potential crashing scenario in
- Fixed several crashes in the DOM
- Fixed a crash in table pagination.
- Security issues fixed: CVE-2020-15680 (VG-VD-20-115) and
several memory safety hazards.
- Unified XUL Platform Mozilla Security Patch Summary: 1
fixed, 2 defense-in-depth, 12 not applicable.
This update fixes a few important issues.
- Fixed some additional crashes caused by the ResizeObserver
API. This should take care of all crashes that have been attributed to
this new code.
- Fixed erroneous parsing of CSS percentages as number values.
This update addresses an intermittent crash in the newly-implemented
ResizeObserver API (introduced in 28.14.0) occurring on a number of
high-profile and often-used websites.
This is a development and security update.
- Updated the browser identity code for website security to
more clearly indicate website status.
A detailed explanation is available on the forum and beyond the scope
of these release notes.
- Updated unofficial branding to be more generic and more
clearly separate unofficial builds from Pale Moon as a product.
Please note that this goes hand in hand with an update of our redistribution license, and from
this point forward any "New Moon"
products are to be considered separate, and not unofficial Pale Moon
builds or in any way related to or affiliated with Pale Moon, despite
the similarity in name.
- Added a preference (
give users the option to ask for the Master Password the moment the
application starts (before the main window opens). This allows a
workaround for getting multiple Master Password prompts if individual
components need access to the password store at the same time.
- Changed the way download sources are displayed to always
use the actual domain downloads are from. In some situations the
browser would previously display the domain of the referring page in an
- Implemented the ES2019
- Implemented the CSS
- (Re-)implemented percentage-based CSS
values according to the updated spec.
- Implemented the last few missing bits for a
resource: scheme, etc.)
- Implemented the
ResizeObserver DOM API.
- Fixed a null crash on some websites using CSS clip paths.
- Updated script handling inside SVGs to only run scripts if
they are enabled and permitted, avoiding a potential XSS pitfall.
- Fixed several memory safety hazards and crashes.
- Updated the
MediaQueryList interface to the
updated spec. It now inherits from
in addition to
and should improve web compatibility for some sites.
- Removed support for the archaic and non-standard
- Removed some leftovers from the discontinued plugin update
- Removed some internal HPKP implementation leftovers.
- Cleaned up the Windows widget code to reduce potentially
vulnerable direct-dll loads.
- Security issues fixed: CVE-2020-15676 and CVE-2020-15677
- Unified XUL Platform Mozilla Security Patch Summary: 2
fixed, 1 defense-in-depth, 7 not applicable.
Release notes for older versions than those listed here
You can find the release notes for previous releases of Pale Moon on
the Archived Release