Pale Moon: Release notes
DiD This means that
a fix is "Defense-in-Depth": It is a fix that does not apply to a
(potentially) actively exploitable vulnerability in Pale Moon, but
prevents future vulnerabilities caused by the same code, e.g. when
surrounding code changes, exposing the problem, or when new attack
vectors are discovered.
Rejected security patches:
This means that patches were theoretically applicable to our code but
considered undesirable, which could be due to unwanted changes in
behavior, known regressions caused by the patches, or unnecessary risks
for stability, security or privacy.
This is a new milestone release.
After our unacceptable and recalled release of v30.0.0 and 30.0.1 with
the departure of one of the core devs from our team
requiring us to rewind and re-do several months of work to exclude
undesired code changes and what likely lay at the root of the plethora
of stability and run-time issues of the recalled versions, we're back
on track with a new milestone building on UXP and Goanna (v5.1) with
many improvements and additional user-requested features.
To prevent user confusion, we're skipping from 29 to 31.
Most important changes in this
- We're once again accepting the installation of legacy
Firefox extensions alongside our own Pale Moon exclusive extensions. As
always, please note that using extensions for an old version of a
different browser is entirely at your own risk and we obviously cannot
and will not provide much (if any) support for their use. Firefox
extensions will be indicated with an orange dot in the Add-ons Manager
in the browser. This will include the converted extensions for the few
of you who are coming from recalled versions with -fxguid suffixes.
- Implemented Global Privacy Control, taking the place of the
unenforceable "DNT" (Do Not Track) signal. Through GPC, you indicate to
websites that you do not
to share or sell your data.
- Implemented "optional chaining" (thanks, FranklinDM!).
setBaseAndExtent for text
- Implemented accepting unit-less values for
in Intersection observers for web compatibility, making it act more
margin as one would expect.
- Improvements to CSS grid and flexbox rendering and display
following spec changes and improving web compatibility.
- Improved display of cursive
scripts (on Windows). Good-bye Comic Sans!
- Updated various in-tree libraries.
- "Default browser" controls in preferences has been moved to
- Added support for extended VPx codec strings in media
delivery via MSE (RFC-6381).
- Fixed a long-time regression where the browser would no
longer honor old-style body and iframe body margins when indicated in
the HTML tags directly instead of CSS. This improves compatibility with
particularly old and/or archived websites.
- Fixed several crashes and stability issues.
- Added a licensing screen to the Windows installer to
clarify the browser's licensing. In other installations, you may find
this licensing statement in the added license.txt file in
the browser installation location.
- Removed all Google SafeBrowsing/URLClassifier service code.
- Restored Mac OS X code and buildability in the platform.
- Removed the non-standard
API that was only ever a prototype implementation.
- Removed most of the last vestiges of the invasive Mozilla
Telemetry code from the platform. This potentially improves performance
on some systems.
- Removed leftover Electrolysis controls that could sometimes
trick parts of the browser into starting in a (very broken)
multi-process mode due to some plumbing for it still being present, if
users would try to force the issue with preferences. Obviously, this
was a footgun for power users.
- Removed more Android/Fennec code (on-going effort to clean
up our code).
- Removed the Marionette automated testing framework.
- Security issues addressed: CVE-2022-29915, CVE-2022-29911,
and several issues that do not have a CVE number.
- UXP Mozilla security patch summary: 4 fixed, 1 DiD, 19 not
This is a security and bugfix release.
- Fixed a potential crash issue on bing.com.
- Updated NSS to 3.52.4 to address security issues.
- Fixed some thread locking issues. DiD
- Worked around a Mesa driver bug that could cause crashes.
- Fixed a potential resource access issue in devtools. DiD
- Security issues with CVEs addressed: CVE-2022-1097,
CVE-2022-28285 (DiD) and
- UXP Mozilla security patch summary: 1 fixed, 5 DiD, 2
rejected, 23 not applicable.
This is a bugfix update to address performance issues due to caching.
This is a security update.
- Fixed several application crash scenarios. DiD
- Fixed a number of thread locking/mutex issues. DiD
- Fixed a leak of content types due to inconsistent error
- Fixed an issue with iframe sandboxing not being properly
- Fixed a potential leak of bookmarks from the exported
file if it included a malicious bookmarklet.
- Fixed an issue with drag-and-drop. (CVE-2022-22756)
- Fixed a potential crash due to truncated WAV files.
- Fixed a memory safety issue with XSLT. (CVE-2022-26485)
This is a security update.
- Improved application library loading security. DiD
- Fixed a potential out-of-bounds issue in IndexedDB. DiD
- Fixed a potential issue in widget data handling code. DiD
- Fixed potentially exploitable crashes in handling
truncated/corrupt media files or streams.
- Fixed an issue in the DOM FileReader code.
- Updated NSS to 3.52.3 to address a security issue.
- Fixed the following security issues: CVE-2022-22736,
CVE-2022-22741, CVE-2021-4140, CVE-2022-22746, CVE-2022-22744 and
- Unified XUL Platform Mozilla Security Patch Summary: 8
fixed, 4 DiD,
17 not applicable.
Important note about
v30.0.0 and v30.0.1
The milestone release version has been recalled. If you are still
v30.0.* of Pale Moon Please upgrade as soon as possible. If
you have any extensions installed that have been converted to an
-fxguid version you should re-install them from our add-ons site
with a compatible version.
You can find the release notes for previous
releases of Pale Moon on
the Archived Release