Pale Moon: Release notes
DiD This means that
a fix is "Defense-in-Depth": It is a fix that does not apply to a
(potentially) actively exploitable vulnerability in Pale Moon, but
prevents future vulnerabilities caused by the same code, e.g. when
surrounding code changes, exposing the problem, or when new attack
vectors are discovered.
Rejected security patches:
This means that patches were theoretically applicable to our code but
considered undesirable, which could be due to unwanted changes in
behavior, known regressions caused by the patches, or unnecessary risks
for stability, security or privacy.
This is a small update to back out the changes to handling of flex
containers in 31.3.0 since it caused severe usability issues on several
This is a major development, bugfix and security release.
built-in indexables (
- Implemented the use of EventSource in workers.
- Enabled the sending of the Origin: header by default on
- Changed how Pale Moon is built. We are now using Visual
on Windows, and have made build system changes to reduce build times
and pressure on the linker on all platforms.
- Changed how Pale Moon handles standalone wave audio files
(.wav). See implementation notes.
- Improved string normalization.
- Updated the handling of CSS "supports" to now accept
unparenthesized strings (spec update).
- Updated the handling of flex containers in web pages for
- Fixed various issues when building for Mac OS X.
- Fixed various C++ standard conformance issues in the source
- Fixed several issues building on SunOS and Linux with
various configurations and gcc versions.
- Fixed an issue with regular expressions'
syntax and usage. See implementation notes.
- Switched custom hash map to
- Cleaned up and updated IPC thread locking code.
- Removed spacing for accessibility focus rings in form
controls to align styling of them with expected metrics.
- Removed the unnecessary control module for building with
non-standard configurations of the platform.
- Removed the
-moz prefix from
max-content CSS keywords where it was still in use.
- Security fixes: CVE-2022-40956 and CVE-2022-40958.
- UXP Mozilla security patch summary: 2 fixed, 11 not
- Pale Moon would previously send standalone wave audio files
(.wav) to the system-configured media player if they would be opened
standalone (i.e. not inside a
<media> HTML element
in a page). This was done due to the historical use of rather exotic
codecs in .wav files that would not be broadly supported in the
browser. In the current day, however, this is much less of a concern.
If you prefer to retain the old behavior and send .wav files to
whatever the configured system media player is, then you should set the
- There was a spec compliance issue with the
regular expression implementation, causing it to not work properly.
Specifically, using the
new RegExp() constructor would
not accept "s" as a flag, and the
.dotAll property was
not cased properly (all lowercase) causing compatibility issues.
This is a small out-of-band update to address the fact that the final
builds did not include the intended NSS library update.
This is a major bugfix and development update.
Special thanks to Athenian200, Jobbautista9, Martok and dbsoft for
their contributions this cycle :)
- Implemented CSS
white-space: break-spaces for
Intl.RelativeTimeFormat for web
- Implemented "Origin header CSRF mitigation". This is still
by default to investigate potential issues with CloudFlare-backed sites.
- Implemented support for async generator methods in
- Added preliminary support for building on Apple Silicon
like M1/M2 SoC.
- Added support for building with Visual Studio 2022.
- Improved the handling of CSS "sticky" elements in tables.
- Improved stack size limits on all platforms. See
function.toString handling to align
- Updated Unicode support to Unicode v11, and updated the ICU
library accordingly. Building without ICU is no longer supported.
- Updated many in-tree third-party libraries to pick up
various performance and stability improvements.
- Updated site-specific user-agent overrides to work around
issues with Google fonts, Citi bank (again!) and MeWe.
- Removed some leftover (and unused) telemetry code in the
platform and front-end.
- Fixed an issue with VP9 video playback on Windows on some
- Fixed an issue with the add-ons manager not properly
handling empty update URLs.
- Fixed a major performance regression on *nix based systems
due to incorrect thread handling.
- Fixed volume handling when building with the
- Pale Moon no longer applies content security policies to
documents that are explicitly loaded as data documents or to images.
See implementation notes.
- Cleaned up some unnecessary code from the source tree for
unused build back-ends, Firefox marketplace "apps", and the rather
ridiculous moz://a protocol handler.
- Updated NSS to 3.52.8 to pick up several defense-in-depth
- UXP Mozilla security patch summary: 3 DiD, 12 not
- Prior to this version, Pale Moon would apply Content
Security Policies (CSPs) to all requests made to servers that would
respond with a policy header, as one would expect for strict use of
CSPs as-intended. Unfortunately, Chrome has been less strict in
applying these policies and specifically excluded applying these
policies to images and "data documents". As a result, web compatibility
became a problem for non-Google browsers with webmasters being
oblivious about their overzealous CSPs deployed on websites, causing
images (especially SVG) and data to not load or load properly. To align
with mainstream browser behavior and improve web compatibility on
misconfigured websites, we are now no longer applying CSPs to images or
documents explicitly loaded as arbitrary data.
- We've adjusted default per-thread stack sizes in the
platform to be more generous on all platforms. This allows the browser
to render more deeply nested visual elements
in web pages and the new limit matches the capabilities of mainstream
browsers as a result. Please note that some custom builds may need to
adjust their linker's stack sizes on some operating systems to come to
a stable and usable build with this change since the new Goanna
rendering depth requires this larger stack size to not run out of
memory. The default per-thread stack size is now 2 MB with the
exception of 32-bit Windows builds where 1.5 MB is used to go easy on
its limited address space. Custom Linux builds with system-default
small stack sizes should adjust their build configuration accordingly.
This is a security update.
Rejected patches were for behavioral changes to long-standing drag and
drop behavior that were marked as potential security issues. The amount
of social engineering and user interaction required to abuse this
behavior however has made it not a real practical issue over the past 9
years and the measures required to work around it as Mozilla has now
done were considered disproportional in complexity and impact on
browser behavior to warrant accepting them.
- Updated the list of blocked external protocol handlers to
combat abuse of OS-supplied services on Windows.
- Fixed a potential issue with revoked site certificates when
connecting through a proxy.
- Updated NSS to 3.52.7 to pick up some security fixes.
- Updated site-specific user agent overrides to work around
bad sniffing practices of dropbox and vimeo.
- Security issues addressed: CVE-2022-34478, CVE-2022-34476,
CVE-2022-34472, CVE-2022-34475 DiD,
CVE-2022-34481 and a memory safety issue that doesn't have a CVE number.
- UXP Mozilla security patch summary: 4 fixed, 4 DiD, 2
rejected, 11 not
This is a major development update, focusing on media support, browser
stability, performance and web compatibility.
- Added Mojeek as an additional search engine in the browser.
See implementation notes.
- Implemented "nullish coalescing operator" (thanks,
FranklinDM!) for web compatibility.
- Fixed various crash scenarios in XPCOM.
- Fixed an important stability and performance issue related
to hardware acceleration.
- Fixed a long-standing issue where overly-long address bar
tooltips wouldn't break into multiple lines but instead cut off on the
- Fixed a long-standing issue where dynamic datalist updates
<select> and similar elements wouldn't properly
update the option list.
- Disabled broken links to MDN articles in developer tools.
- Updated media support to include support for libavcodec
59/FFmpeg 5.0 for MP4 playback on Linux (thanks, Travis!)
- Enabled the date picker for
See implementation notes.
- Re-enabled the use of FIPS mode for NSS. See implementation
- Improved memory handling and memory safety in the
- Improved memory handling in the graphics subsystem of
- Updated FFvpx to v4.2.7
- Slightly reduced strictness of media checking for improved
compatibility with questionable "gif" video encoders used on major
- Cleaned up the way file pickers (file open/save/save as
dialogs) are handled on Windows.
- Restored the
gMultiProcessBrowser property of
the browser for Firefox extension compatibility. See implementation
- Improved the way data is transferred to and from canvases
to prevent memory safety issues.
- Updated NSS to 3.52.6 to address security issues.
- Reduced blocking severity for some extensions that were
marked hard blockers for GRE (but aren't for UXP).
- Security issues addressed: CVE-2022-31739, CVE-2022-31741,
and other security issues that do not have a CVE number.
- UXP Mozilla security patch summary: 2 fixed, 1 DiD, 26 not
- Following the concerns surrounding bias, censorship and
unwanted filtering of search results by almost all available search
engines, we've contacted Mojeek to have their search engine added by
default to Pale Moon. This was done to offer a truly independent search
alternative that has its own (long-standing) search index of the Web
and does not rely on the major indexers like Bing, Google or Yahoo, who
all apply bias and filtering to varying degrees on their search results
(e.g. about politics or the war in the Ukraine). Since privacy-focused
search engines like DuckDuckGo do rely on search results from these
"big indexers", whatever their "upstream" decides to be filtered out
will also affect your results through those search engines. Mojeek
offers its own, entirely independent search results which may provide
you with truly independent alternative results. Give it a try!
- Form input fields of type "date" will now pop up a
graphical calendar to pick dates instead of having to manually enter
the dates. Please note that the default format will match the base
language of the browser (American English) which will be reflected in
the mm/dd/yyyy placeholder. This is cosmetic only and does not actually
influence how the date is passed to the server via the form. More work
is needed for better localization of date and time input fields but
that did not make this release.
- FIPS mode is a special (rather archaic) operating mode of
the NSS security library and software security device that handles
certificates and credentials in the browser. In v31.0.0 this operating
mode was no longer supported which resulted in some users who had
previously enabled FIPS mode in the browser from accessing their
credentials (giving errors on the master password, instead). For the
time being, support for this mode is enabled again but if you use it,
please disable this mode as it will go away. Standard operating mode
with a master password is more secure than FIPS mode at this point, and
FIPS was only ever necessary for US governmental use and "grandfathered
in" without getting much attention. This will go away permanently over
time so please pre-empt this removal by disabling FIPS mode if you had
enabled it (its control can be found in Preferences -> Advanced
-> Certificates tab -> Button "Security devices" -- yes, it's
buried pretty deep ;-) ).
- Windows binaries are now being built and linked against a
newer Windows SDK (10.0.22000.0) to align with system support for
Windows 11. It is unlikely that this will negatively affect any users
point in time.
- While we don't support multi-process browsing or
"electrolysis", extensions may still be checking what Firefox used as
an indicator to know if electrolysis was enabled in it, which in some
cases would require the extension to adjust its behavior. To provide
better compatibility with legacy extensions that might otherwise error
out when the gMultiprocessBrowser property was completely undefined, we
restored this property (hard-coded to "false" since we don't support
This is a new milestone release.
After our unacceptable and recalled release of v30.0.0 and 30.0.1 with
the departure of one of the core devs from our team
requiring us to rewind and re-do several months of work to exclude
undesired code changes and what likely lay at the root of the plethora
of stability and run-time issues of the recalled versions, we're back
on track with a new milestone building on UXP and Goanna (v5.1) with
many improvements and additional user-requested features.
To prevent user confusion, we're skipping from 29 to 31.
Most important changes in this
- We're once again accepting the installation of legacy
Firefox extensions alongside our own Pale Moon exclusive extensions. As
always, please note that using extensions for an old version of a
different browser is entirely at your own risk and we obviously cannot
and will not provide much (if any) support for their use. Firefox
extensions will be indicated with an orange dot in the Add-ons Manager
in the browser. This will include the converted extensions for the few
of you who are coming from recalled versions with -fxguid suffixes.
- Implemented Global Privacy Control, taking the place of the
unenforceable "DNT" (Do Not Track) signal. Through GPC, you indicate to
websites that you do not
to share or sell your data.
- Implemented "optional chaining" (thanks, FranklinDM!).
setBaseAndExtent for text
- Implemented accepting unit-less values for
in Intersection observers for web compatibility, making it act more
margin as one would expect.
- Improvements to CSS grid and flexbox rendering and display
following spec changes and improving web compatibility.
- Improved display of cursive
scripts (on Windows). Good-bye Comic Sans!
- Updated various in-tree libraries.
- "Default browser" controls in preferences has been moved to
- Added support for extended VPx codec strings in media
delivery via MSE (RFC-6381).
- Fixed a long-time regression where the browser would no
longer honor old-style body and iframe body margins when indicated in
the HTML tags directly instead of CSS. This improves compatibility with
particularly old and/or archived websites.
- Fixed several crashes and stability issues.
- Added a licensing screen to the Windows installer to
clarify the browser's licensing. In other installations, you may find
this licensing statement in the added license.txt file in
the browser installation location.
- Removed all Google SafeBrowsing/URLClassifier service code.
- Restored Mac OS X code and buildability in the platform.
- Removed the non-standard
API that was only ever a prototype implementation.
- Removed most of the last vestiges of the invasive Mozilla
Telemetry code from the platform. This potentially improves performance
on some systems.
- Removed leftover Electrolysis controls that could sometimes
trick parts of the browser into starting in a (very broken)
multi-process mode due to some plumbing for it still being present, if
users would try to force the issue with preferences. Obviously, this
was a footgun for power users.
- Removed more Android/Fennec code (on-going effort to clean
up our code).
- Removed the Marionette automated testing framework.
- Security issues addressed: CVE-2022-29915, CVE-2022-29911,
and several issues that do not have a CVE number.
- UXP Mozilla security patch summary: 4 fixed, 1 DiD, 19 not
This is a security and bugfix release.
- Fixed a potential crash issue on bing.com.
- Updated NSS to 3.52.4 to address security issues.
- Fixed some thread locking issues. DiD
- Worked around a Mesa driver bug that could cause crashes.
- Fixed a potential resource access issue in devtools. DiD
- Security issues with CVEs addressed: CVE-2022-1097,
CVE-2022-28285 (DiD) and
- UXP Mozilla security patch summary: 1 fixed, 5 DiD, 2
rejected, 23 not applicable.
This is a bugfix update to address performance issues due to caching.
This is a security update.
- Fixed several application crash scenarios. DiD
- Fixed a number of thread locking/mutex issues. DiD
- Fixed a leak of content types due to inconsistent error
- Fixed an issue with iframe sandboxing not being properly
- Fixed a potential leak of bookmarks from the exported
file if it included a malicious bookmarklet.
- Fixed an issue with drag-and-drop. (CVE-2022-22756)
- Fixed a potential crash due to truncated WAV files.
- Fixed a memory safety issue with XSLT. (CVE-2022-26485)
This is a security update.
- Improved application library loading security. DiD
- Fixed a potential out-of-bounds issue in IndexedDB. DiD
- Fixed a potential issue in widget data handling code. DiD
- Fixed potentially exploitable crashes in handling
truncated/corrupt media files or streams.
- Fixed an issue in the DOM FileReader code.
- Updated NSS to 3.52.3 to address a security issue.
- Fixed the following security issues: CVE-2022-22736,
CVE-2022-22741, CVE-2021-4140, CVE-2022-22746, CVE-2022-22744 and
- Unified XUL Platform Mozilla Security Patch Summary: 8
fixed, 4 DiD,
17 not applicable.
Important note about
v30.0.0 and v30.0.1
The milestone release version has been recalled. If you are still
v30.0.* of Pale Moon Please upgrade as soon as possible. If
you have any extensions installed that have been converted to an
-fxguid version you should re-install them from our add-ons site
with a compatible version.
You can find the release notes for previous
releases of Pale Moon on
the Archived Release