Pale Moon: Release notes

General notes:
DiD This means that a fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.
Rejected security patches: This means that patches were theoretically applicable to our code but considered undesirable, which could be due to unwanted changes in behavior, known regressions caused by the patches, or unnecessary risks for stability, security or privacy.

v31.2.0.1 (2022-08-03)

This is a small out-of-band update to address the fact that the final builds did not include the intended NSS library update.

v31.2.0 (2022-08-02)

This is a major bugfix and development update.
Special thanks to Athenian200, Jobbautista9, Martok and dbsoft for their contributions this cycle :)

Changes/fixes:
  • Implemented CSS white-space: break-spaces for web compatibility.
  • Implemented Intl.RelativeTimeFormat for web compatibility.
  • Implemented "Origin header CSRF mitigation". This is still disabled by default to investigate potential issues with CloudFlare-backed sites.
  • Implemented support for async generator methods in JavaScript.
  • Added preliminary support for building on Apple Silicon like M1/M2 SoC.
  • Added support for building with Visual Studio 2022.
  • Improved the handling of CSS "sticky" elements in tables.
  • Improved stack size limits on all platforms. See implementation notes.
  • Updated function.toString handling to align with the updated JavaScript spec. This should improve web compatibility.
  • Updated Unicode support to Unicode v11, and updated the ICU library accordingly. Building without ICU is no longer supported.
  • Updated many in-tree third-party libraries to pick up various performance and stability improvements.
  • Updated site-specific user-agent overrides to work around issues with Google fonts, Citi bank (again!) and MeWe.
  • Removed some leftover (and unused) telemetry code in the platform and front-end.
  • Fixed an issue with VP9 video playback on Windows on some systems.
  • Fixed an issue with the add-ons manager not properly handling empty update URLs.
  • Fixed a major performance regression on *nix based systems due to incorrect thread handling.
  • Fixed volume handling when building with the sndio audio back-end.
  • Pale Moon no longer applies content security policies to documents that are explicitly loaded as data documents or to images. See implementation notes.
  • Cleaned up some unnecessary code from the source tree for unused build back-ends, Firefox marketplace "apps", and the rather ridiculous moz://a protocol handler.
  • Updated NSS to 3.52.8 to pick up several defense-in-depth security fixes.
  • UXP Mozilla security patch summary: 3 DiD, 12 not applicable.
Implementation notes:
  • Prior to this version, Pale Moon would apply Content Security Policies (CSPs) to all requests made to servers that would respond with a policy header, as one would expect for strict use of CSPs as-intended. Unfortunately, Chrome has been less strict in applying these policies and specifically excluded applying these policies to images and "data documents". As a result, web compatibility became a problem for non-Google browsers with webmasters being oblivious about their overzealous CSPs deployed on websites, causing images (especially SVG) and data to not load or load properly. To align with mainstream browser behavior and improve web compatibility on misconfigured websites, we are now no longer applying CSPs to images or documents explicitly loaded as arbitrary data.
  • We've adjusted default per-thread stack sizes in the platform to be more generous on all platforms. This allows the browser to render more deeply nested visual elements in web pages and the new limit matches the capabilities of mainstream browsers as a result. Please note that some custom builds may need to adjust their linker's stack sizes on some operating systems to come to a stable and usable build with this change since the new Goanna rendering depth requires this larger stack size to not run out of memory. The default per-thread stack size is now 2 MB with the exception of 32-bit Windows builds where 1.5 MB is used to go easy on its limited address space. Custom Linux builds with system-default small stack sizes should adjust their build configuration accordingly.



v31.1.1 (2022-07-07)

This is a security update.

Changes/fixes:
  • Updated the list of blocked external protocol handlers to combat abuse of OS-supplied services on Windows.
  • Fixed a potential issue with revoked site certificates when connecting through a proxy.
  • Updated NSS to 3.52.7 to pick up some security fixes.
  • Updated site-specific user agent overrides to work around bad sniffing practices of dropbox and vimeo.
  • Security issues addressed: CVE-2022-34478, CVE-2022-34476, CVE-2022-34480 DiD, CVE-2022-34472, CVE-2022-34475 DiD, CVE-2022-34473 DiD, CVE-2022-34481 and a memory safety issue that doesn't have a CVE number.
  • UXP Mozilla security patch summary: 4 fixed, 4 DiD, 2 rejected, 11 not applicable.
Rejected patches were for behavioral changes to long-standing drag and drop behavior that were marked as potential security issues. The amount of social engineering and user interaction required to abuse this behavior however has made it not a real practical issue over the past 9 years and the measures required to work around it as Mozilla has now done were considered disproportional in complexity and impact on browser behavior to warrant accepting them.

v31.1.0 (2022-06-07)

This is a major development update, focusing on media support, browser stability, performance and web compatibility.

Changes/fixes:
  • Added Mojeek as an additional search engine in the browser. See implementation notes.
  • Implemented "nullish coalescing operator" (thanks, FranklinDM!) for web compatibility.
  • Fixed various crash scenarios in XPCOM.
  • Fixed an important stability and performance issue related to hardware acceleration.
  • Fixed a long-standing issue where overly-long address bar tooltips wouldn't break into multiple lines but instead cut off on the right side.
  • Fixed a long-standing issue where dynamic datalist updates for <select> and similar elements wouldn't properly update the option list.
  • Disabled broken links to MDN articles in developer tools.
  • Updated media support to include support for libavcodec 59/FFmpeg 5.0 for MP4 playback on Linux (thanks, Travis!)
  • Enabled the date picker for <input type=date>. See implementation notes.
  • Re-enabled the use of FIPS mode for NSS. See implementation notes.
  • Improved memory handling and memory safety in the JavaScript engine, further reducing current and future crash scenarios.
  • Improved memory handling in the graphics subsystem of Goanna.
  • Updated FFvpx to v4.2.7
  • Slightly reduced strictness of media checking for improved compatibility with questionable "gif" video encoders used on major websites.
  • Cleaned up the way file pickers (file open/save/save as dialogs) are handled on Windows.
  • Restored the gMultiProcessBrowser property of the browser for Firefox extension compatibility. See implementation notes.
  • Improved the way data is transferred to and from canvases to prevent memory safety issues.
  • Updated NSS to 3.52.6 to address security issues.
  • Reduced blocking severity for some extensions that were marked hard blockers for GRE (but aren't for UXP).
  • Security issues addressed: CVE-2022-31739, CVE-2022-31741, and other security issues that do not have a CVE number.
  • UXP Mozilla security patch summary: 2 fixed, 1 DiD, 26 not applicable.
Implementation/build notes:
  • Following the concerns surrounding bias, censorship and unwanted filtering of search results by almost all available search engines, we've contacted Mojeek to have their search engine added by default to Pale Moon. This was done to offer a truly independent search alternative that has its own (long-standing) search index of the Web and does not rely on the major indexers like Bing, Google or Yahoo, who all apply bias and filtering to varying degrees on their search results (e.g. about politics or the war in the Ukraine). Since privacy-focused search engines like DuckDuckGo do rely on search results from these "big indexers", whatever their "upstream" decides to be filtered out will also affect your results through those search engines. Mojeek offers its own, entirely independent search results which may provide you with truly independent alternative results. Give it a try!
  • Form input fields of type "date" will now pop up a graphical calendar to pick dates instead of having to manually enter the dates. Please note that the default format will match the base language of the browser (American English) which will be reflected in the mm/dd/yyyy placeholder. This is cosmetic only and does not actually influence how the date is passed to the server via the form. More work is needed for better localization of date and time input fields but that did not make this release.
  • FIPS mode is a special (rather archaic) operating mode of the NSS security library and software security device that handles certificates and credentials in the browser. In v31.0.0 this operating mode was no longer supported which resulted in some users who had previously enabled FIPS mode in the browser from accessing their credentials (giving errors on the master password, instead). For the time being, support for this mode is enabled again but if you use it, please disable this mode as it will go away. Standard operating mode with a master password is more secure than FIPS mode at this point, and FIPS was only ever necessary for US governmental use and "grandfathered in" without getting much attention. This will go away permanently over time so please pre-empt this removal by disabling FIPS mode if you had enabled it (its control can be found in Preferences -> Advanced -> Certificates tab -> Button "Security devices" -- yes, it's buried pretty deep ;-) ).
  • Windows binaries are now being built and linked against a newer Windows SDK (10.0.22000.0) to align with system support for Windows 11. It is unlikely that this will negatively affect any users at this point in time.
  • While we don't support multi-process browsing or "electrolysis", extensions may still be checking what Firefox used as an indicator to know if electrolysis was enabled in it, which in some cases would require the extension to adjust its behavior. To provide better compatibility with legacy extensions that might otherwise error out when the gMultiprocessBrowser property was completely undefined, we restored this property (hard-coded to "false" since we don't support multi-process).



v31.0.0 (2022-05-10)

This is a new milestone release.

After our unacceptable and recalled release of v30.0.0 and 30.0.1 with the departure of one of the core devs from our team requiring us to rewind and re-do several months of work to exclude undesired code changes and what likely lay at the root of the plethora of stability and run-time issues of the recalled versions, we're back on track with a new milestone building on UXP and Goanna (v5.1) with many improvements and additional user-requested features.
To prevent user confusion, we're skipping from 29 to 31.

Most important changes in this milestone:
  • We're once again accepting the installation of legacy Firefox extensions alongside our own Pale Moon exclusive extensions. As always, please note that using extensions for an old version of a different browser is entirely at your own risk and we obviously cannot and will not provide much (if any) support for their use. Firefox extensions will be indicated with an orange dot in the Add-ons Manager in the browser. This will include the converted extensions for the few of you who are coming from recalled versions with -fxguid suffixes.
  • Implemented Global Privacy Control, taking the place of the unenforceable "DNT" (Do Not Track) signal. Through GPC, you indicate to websites that you do not want them to share or sell your data.
  • Implemented "optional chaining" (thanks, FranklinDM!).
  • Implemented setBaseAndExtent for text selections.
  • Implemented queueMicroTask() "pseudo-promise" callbacks.
  • Implemented accepting unit-less values for rootMargin in Intersection observers for web compatibility, making it act more like CSS margin as one would expect.
  • Improvements to CSS grid and flexbox rendering and display following spec changes and improving web compatibility.
  • Improved performance of parallel web workers in JavaScript.
  • Improved display of cursive scripts (on Windows). Good-bye Comic Sans!
  • Updated various in-tree libraries.
  • "Default browser" controls in preferences has been moved to "General".
  • Added support for extended VPx codec strings in media delivery via MSE (RFC-6381).
  • Fixed a long-time regression where the browser would no longer honor old-style body and iframe body margins when indicated in the HTML tags directly instead of CSS. This improves compatibility with particularly old and/or archived websites.
  • Fixed several crashes and stability issues.
  • Added a licensing screen to the Windows installer to clarify the browser's licensing. In other installations, you may find this licensing statement in the added license.txt file in the browser installation location.
  • Removed all Google SafeBrowsing/URLClassifier service code.
  • Restored Mac OS X code and buildability in the platform.
  • Removed the non-standard ArchiveReader DOM API that was only ever a prototype implementation.
  • Removed most of the last vestiges of the invasive Mozilla Telemetry code from the platform. This potentially improves performance on some systems.
  • Removed leftover Electrolysis controls that could sometimes trick parts of the browser into starting in a (very broken) multi-process mode due to some plumbing for it still being present, if users would try to force the issue with preferences. Obviously, this was a footgun for power users.
  • Removed more Android/Fennec code (on-going effort to clean up our code).
  • Removed the Marionette automated testing framework.
  • Security issues addressed: CVE-2022-29915, CVE-2022-29911, and several issues that do not have a CVE number.
  • UXP Mozilla security patch summary: 4 fixed, 1 DiD, 19 not applicable.



v29.4.6 (2022-04-12)

This is a security and bugfix release.

Changes/fixes:
  • Fixed a potential crash issue on bing.com.
  • Updated NSS to 3.52.4 to address security issues.
  • Fixed some thread locking issues. DiD
  • Worked around a Mesa driver bug that could cause crashes.
  • Fixed a potential resource access issue in devtools. DiD
  • Security issues with CVEs addressed: CVE-2022-1097, CVE-2022-28285 (DiD) and CVE-2022-28283 (DiD).
  • UXP Mozilla security patch summary: 1 fixed, 5 DiD, 2 rejected, 23 not applicable.



v29.4.5.1 (2022-03-29)

This is a bugfix update to address performance issues due to caching.

v29.4.5 (2022-03-23)

This is a security update.

Changes/fixes:
  • Fixed several application crash scenarios. DiD
  • Fixed a number of thread locking/mutex issues. DiD
  • Fixed a leak of content types due to inconsistent error reporting. (CVE-2022-22760)
  • Fixed an issue with iframe sandboxing not being properly applied. (CVE-2022-22759)
  • Fixed a potential leak of bookmarks from the exported bookmarks file if it included a malicious bookmarklet.
  • Fixed an issue with drag-and-drop. (CVE-2022-22756)
  • Fixed a potential crash due to truncated WAV files.
  • Fixed a memory safety issue with XSLT. (CVE-2022-26485)

v29.4.4 (2022-01-18)

This is a security update.

Changes/fixes:
  • Improved application library loading security. DiD
  • Fixed an issue in JavaScript serialization. DiD
  • Fixed a potential out-of-bounds issue in IndexedDB. DiD
  • Fixed a potential issue in widget data handling code. DiD
  • Fixed potentially exploitable crashes in handling truncated/corrupt media files or streams.
  • Fixed an issue in the DOM FileReader code.
  • Updated NSS to 3.52.3 to address a security issue.
  • Fixed the following security issues: CVE-2022-22736, CVE-2022-22741, CVE-2021-4140, CVE-2022-22746, CVE-2022-22744 and CVE-2022-22747.
  • Unified XUL Platform Mozilla Security Patch Summary: 8 fixed, 4 DiD, 17 not applicable.

Important note about v30.0.0 and v30.0.1
The milestone release version has been recalled. If you are still running v30.0.* of Pale Moon Please upgrade as soon as possible. If you have any extensions installed that have been converted to an -fxguid version you should re-install them from our add-ons site with a compatible version.


You can find the release notes for previous releases of Pale Moon on the Archived Release Notes page.

Site and contents Copyright © 2009-2022 Moonchild Productions - All rights reserved
Pale Moon is subject to the following licensing.
Policies: Cookies - User Content - Privacy.