Pale Moon: Release notes

General notes:
DiD This means that a fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.
Rejected security patches: This means that patches were theoretically applicable to our code but considered undesirable, which could be due to unwanted changes in behavior, known regressions caused by the patches, or unnecessary risks for stability, security or privacy.

v31.3.0.1 (2022-09-28)

This is a small update to back out the changes to handling of flex containers in 31.3.0 since it caused severe usability issues on several websites.

v31.3.0 (2022-09-27)

This is a major development, bugfix and security release.

Changes/fixes:
  • Implemented .at(index) JavaScript method on built-in indexables (Array, String, TypedArray).
  • Implemented the use of EventSource in workers.
  • Enabled the sending of the Origin: header by default on same-origin requests.
  • Changed how Pale Moon is built. We are now using Visual Studio 2022 on Windows, and have made build system changes to reduce build times and pressure on the linker on all platforms.
  • Changed how Pale Moon handles standalone wave audio files (.wav). See implementation notes.
  • Improved string normalization.
  • Updated the handling of CSS "supports" to now accept unparenthesized strings (spec update).
  • Updated the handling of flex containers in web pages for web compatibility.
  • Fixed various issues when building for Mac OS X.
  • Fixed various C++ standard conformance issues in the source code.
  • Fixed several issues building on SunOS and Linux with various configurations and gcc versions.
  • Fixed an issue with regular expressions' dotAll syntax and usage. See implementation notes.
  • Switched custom hash map to std::unordered_map where prudent.
  • Cleaned up and updated IPC thread locking code.
  • Removed spacing for accessibility focus rings in form controls to align styling of them with expected metrics.
  • Removed the unnecessary control module for building with non-standard configurations of the platform.
  • Removed the -moz prefix from min-content and max-content CSS keywords where it was still in use.
  • Security fixes: CVE-2022-40956 and CVE-2022-40958.
  • UXP Mozilla security patch summary: 2 fixed, 11 not applicable.
Implementation notes:
  • Pale Moon would previously send standalone wave audio files (.wav) to the system-configured media player if they would be opened standalone (i.e. not inside a <media> HTML element in a page). This was done due to the historical use of rather exotic codecs in .wav files that would not be broadly supported in the browser. In the current day, however, this is much less of a concern. If you prefer to retain the old behavior and send .wav files to whatever the configured system media player is, then you should set the preference media.wave.play-stand-alone to false in about:config.
  • There was a spec compliance issue with the dotAll regular expression implementation, causing it to not work properly. Specifically, using the new RegExp() constructor would not accept "s" as a flag, and the .dotAll property was not cased properly (all lowercase) causing compatibility issues.

v31.2.0.1 (2022-08-03)

This is a small out-of-band update to address the fact that the final builds did not include the intended NSS library update.

v31.2.0 (2022-08-02)

This is a major bugfix and development update.
Special thanks to Athenian200, Jobbautista9, Martok and dbsoft for their contributions this cycle :)

Changes/fixes:
  • Implemented CSS white-space: break-spaces for web compatibility.
  • Implemented Intl.RelativeTimeFormat for web compatibility.
  • Implemented "Origin header CSRF mitigation". This is still disabled by default to investigate potential issues with CloudFlare-backed sites.
  • Implemented support for async generator methods in JavaScript.
  • Added preliminary support for building on Apple Silicon like M1/M2 SoC.
  • Added support for building with Visual Studio 2022.
  • Improved the handling of CSS "sticky" elements in tables.
  • Improved stack size limits on all platforms. See implementation notes.
  • Updated function.toString handling to align with the updated JavaScript spec. This should improve web compatibility.
  • Updated Unicode support to Unicode v11, and updated the ICU library accordingly. Building without ICU is no longer supported.
  • Updated many in-tree third-party libraries to pick up various performance and stability improvements.
  • Updated site-specific user-agent overrides to work around issues with Google fonts, Citi bank (again!) and MeWe.
  • Removed some leftover (and unused) telemetry code in the platform and front-end.
  • Fixed an issue with VP9 video playback on Windows on some systems.
  • Fixed an issue with the add-ons manager not properly handling empty update URLs.
  • Fixed a major performance regression on *nix based systems due to incorrect thread handling.
  • Fixed volume handling when building with the sndio audio back-end.
  • Pale Moon no longer applies content security policies to documents that are explicitly loaded as data documents or to images. See implementation notes.
  • Cleaned up some unnecessary code from the source tree for unused build back-ends, Firefox marketplace "apps", and the rather ridiculous moz://a protocol handler.
  • Updated NSS to 3.52.8 to pick up several defense-in-depth security fixes.
  • UXP Mozilla security patch summary: 3 DiD, 12 not applicable.
Implementation notes:
  • Prior to this version, Pale Moon would apply Content Security Policies (CSPs) to all requests made to servers that would respond with a policy header, as one would expect for strict use of CSPs as-intended. Unfortunately, Chrome has been less strict in applying these policies and specifically excluded applying these policies to images and "data documents". As a result, web compatibility became a problem for non-Google browsers with webmasters being oblivious about their overzealous CSPs deployed on websites, causing images (especially SVG) and data to not load or load properly. To align with mainstream browser behavior and improve web compatibility on misconfigured websites, we are now no longer applying CSPs to images or documents explicitly loaded as arbitrary data.
  • We've adjusted default per-thread stack sizes in the platform to be more generous on all platforms. This allows the browser to render more deeply nested visual elements in web pages and the new limit matches the capabilities of mainstream browsers as a result. Please note that some custom builds may need to adjust their linker's stack sizes on some operating systems to come to a stable and usable build with this change since the new Goanna rendering depth requires this larger stack size to not run out of memory. The default per-thread stack size is now 2 MB with the exception of 32-bit Windows builds where 1.5 MB is used to go easy on its limited address space. Custom Linux builds with system-default small stack sizes should adjust their build configuration accordingly.



v31.1.1 (2022-07-07)

This is a security update.

Changes/fixes:
  • Updated the list of blocked external protocol handlers to combat abuse of OS-supplied services on Windows.
  • Fixed a potential issue with revoked site certificates when connecting through a proxy.
  • Updated NSS to 3.52.7 to pick up some security fixes.
  • Updated site-specific user agent overrides to work around bad sniffing practices of dropbox and vimeo.
  • Security issues addressed: CVE-2022-34478, CVE-2022-34476, CVE-2022-34480 DiD, CVE-2022-34472, CVE-2022-34475 DiD, CVE-2022-34473 DiD, CVE-2022-34481 and a memory safety issue that doesn't have a CVE number.
  • UXP Mozilla security patch summary: 4 fixed, 4 DiD, 2 rejected, 11 not applicable.
Rejected patches were for behavioral changes to long-standing drag and drop behavior that were marked as potential security issues. The amount of social engineering and user interaction required to abuse this behavior however has made it not a real practical issue over the past 9 years and the measures required to work around it as Mozilla has now done were considered disproportional in complexity and impact on browser behavior to warrant accepting them.

v31.1.0 (2022-06-07)

This is a major development update, focusing on media support, browser stability, performance and web compatibility.

Changes/fixes:
  • Added Mojeek as an additional search engine in the browser. See implementation notes.
  • Implemented "nullish coalescing operator" (thanks, FranklinDM!) for web compatibility.
  • Fixed various crash scenarios in XPCOM.
  • Fixed an important stability and performance issue related to hardware acceleration.
  • Fixed a long-standing issue where overly-long address bar tooltips wouldn't break into multiple lines but instead cut off on the right side.
  • Fixed a long-standing issue where dynamic datalist updates for <select> and similar elements wouldn't properly update the option list.
  • Disabled broken links to MDN articles in developer tools.
  • Updated media support to include support for libavcodec 59/FFmpeg 5.0 for MP4 playback on Linux (thanks, Travis!)
  • Enabled the date picker for <input type=date>. See implementation notes.
  • Re-enabled the use of FIPS mode for NSS. See implementation notes.
  • Improved memory handling and memory safety in the JavaScript engine, further reducing current and future crash scenarios.
  • Improved memory handling in the graphics subsystem of Goanna.
  • Updated FFvpx to v4.2.7
  • Slightly reduced strictness of media checking for improved compatibility with questionable "gif" video encoders used on major websites.
  • Cleaned up the way file pickers (file open/save/save as dialogs) are handled on Windows.
  • Restored the gMultiProcessBrowser property of the browser for Firefox extension compatibility. See implementation notes.
  • Improved the way data is transferred to and from canvases to prevent memory safety issues.
  • Updated NSS to 3.52.6 to address security issues.
  • Reduced blocking severity for some extensions that were marked hard blockers for GRE (but aren't for UXP).
  • Security issues addressed: CVE-2022-31739, CVE-2022-31741, and other security issues that do not have a CVE number.
  • UXP Mozilla security patch summary: 2 fixed, 1 DiD, 26 not applicable.
Implementation/build notes:
  • Following the concerns surrounding bias, censorship and unwanted filtering of search results by almost all available search engines, we've contacted Mojeek to have their search engine added by default to Pale Moon. This was done to offer a truly independent search alternative that has its own (long-standing) search index of the Web and does not rely on the major indexers like Bing, Google or Yahoo, who all apply bias and filtering to varying degrees on their search results (e.g. about politics or the war in the Ukraine). Since privacy-focused search engines like DuckDuckGo do rely on search results from these "big indexers", whatever their "upstream" decides to be filtered out will also affect your results through those search engines. Mojeek offers its own, entirely independent search results which may provide you with truly independent alternative results. Give it a try!
  • Form input fields of type "date" will now pop up a graphical calendar to pick dates instead of having to manually enter the dates. Please note that the default format will match the base language of the browser (American English) which will be reflected in the mm/dd/yyyy placeholder. This is cosmetic only and does not actually influence how the date is passed to the server via the form. More work is needed for better localization of date and time input fields but that did not make this release.
  • FIPS mode is a special (rather archaic) operating mode of the NSS security library and software security device that handles certificates and credentials in the browser. In v31.0.0 this operating mode was no longer supported which resulted in some users who had previously enabled FIPS mode in the browser from accessing their credentials (giving errors on the master password, instead). For the time being, support for this mode is enabled again but if you use it, please disable this mode as it will go away. Standard operating mode with a master password is more secure than FIPS mode at this point, and FIPS was only ever necessary for US governmental use and "grandfathered in" without getting much attention. This will go away permanently over time so please pre-empt this removal by disabling FIPS mode if you had enabled it (its control can be found in Preferences -> Advanced -> Certificates tab -> Button "Security devices" -- yes, it's buried pretty deep ;-) ).
  • Windows binaries are now being built and linked against a newer Windows SDK (10.0.22000.0) to align with system support for Windows 11. It is unlikely that this will negatively affect any users at this point in time.
  • While we don't support multi-process browsing or "electrolysis", extensions may still be checking what Firefox used as an indicator to know if electrolysis was enabled in it, which in some cases would require the extension to adjust its behavior. To provide better compatibility with legacy extensions that might otherwise error out when the gMultiprocessBrowser property was completely undefined, we restored this property (hard-coded to "false" since we don't support multi-process).



v31.0.0 (2022-05-10)

This is a new milestone release.

After our unacceptable and recalled release of v30.0.0 and 30.0.1 with the departure of one of the core devs from our team requiring us to rewind and re-do several months of work to exclude undesired code changes and what likely lay at the root of the plethora of stability and run-time issues of the recalled versions, we're back on track with a new milestone building on UXP and Goanna (v5.1) with many improvements and additional user-requested features.
To prevent user confusion, we're skipping from 29 to 31.

Most important changes in this milestone:
  • We're once again accepting the installation of legacy Firefox extensions alongside our own Pale Moon exclusive extensions. As always, please note that using extensions for an old version of a different browser is entirely at your own risk and we obviously cannot and will not provide much (if any) support for their use. Firefox extensions will be indicated with an orange dot in the Add-ons Manager in the browser. This will include the converted extensions for the few of you who are coming from recalled versions with -fxguid suffixes.
  • Implemented Global Privacy Control, taking the place of the unenforceable "DNT" (Do Not Track) signal. Through GPC, you indicate to websites that you do not want them to share or sell your data.
  • Implemented "optional chaining" (thanks, FranklinDM!).
  • Implemented setBaseAndExtent for text selections.
  • Implemented queueMicroTask() "pseudo-promise" callbacks.
  • Implemented accepting unit-less values for rootMargin in Intersection observers for web compatibility, making it act more like CSS margin as one would expect.
  • Improvements to CSS grid and flexbox rendering and display following spec changes and improving web compatibility.
  • Improved performance of parallel web workers in JavaScript.
  • Improved display of cursive scripts (on Windows). Good-bye Comic Sans!
  • Updated various in-tree libraries.
  • "Default browser" controls in preferences has been moved to "General".
  • Added support for extended VPx codec strings in media delivery via MSE (RFC-6381).
  • Fixed a long-time regression where the browser would no longer honor old-style body and iframe body margins when indicated in the HTML tags directly instead of CSS. This improves compatibility with particularly old and/or archived websites.
  • Fixed several crashes and stability issues.
  • Added a licensing screen to the Windows installer to clarify the browser's licensing. In other installations, you may find this licensing statement in the added license.txt file in the browser installation location.
  • Removed all Google SafeBrowsing/URLClassifier service code.
  • Restored Mac OS X code and buildability in the platform.
  • Removed the non-standard ArchiveReader DOM API that was only ever a prototype implementation.
  • Removed most of the last vestiges of the invasive Mozilla Telemetry code from the platform. This potentially improves performance on some systems.
  • Removed leftover Electrolysis controls that could sometimes trick parts of the browser into starting in a (very broken) multi-process mode due to some plumbing for it still being present, if users would try to force the issue with preferences. Obviously, this was a footgun for power users.
  • Removed more Android/Fennec code (on-going effort to clean up our code).
  • Removed the Marionette automated testing framework.
  • Security issues addressed: CVE-2022-29915, CVE-2022-29911, and several issues that do not have a CVE number.
  • UXP Mozilla security patch summary: 4 fixed, 1 DiD, 19 not applicable.



v29.4.6 (2022-04-12)

This is a security and bugfix release.

Changes/fixes:
  • Fixed a potential crash issue on bing.com.
  • Updated NSS to 3.52.4 to address security issues.
  • Fixed some thread locking issues. DiD
  • Worked around a Mesa driver bug that could cause crashes.
  • Fixed a potential resource access issue in devtools. DiD
  • Security issues with CVEs addressed: CVE-2022-1097, CVE-2022-28285 (DiD) and CVE-2022-28283 (DiD).
  • UXP Mozilla security patch summary: 1 fixed, 5 DiD, 2 rejected, 23 not applicable.



v29.4.5.1 (2022-03-29)

This is a bugfix update to address performance issues due to caching.

v29.4.5 (2022-03-23)

This is a security update.

Changes/fixes:
  • Fixed several application crash scenarios. DiD
  • Fixed a number of thread locking/mutex issues. DiD
  • Fixed a leak of content types due to inconsistent error reporting. (CVE-2022-22760)
  • Fixed an issue with iframe sandboxing not being properly applied. (CVE-2022-22759)
  • Fixed a potential leak of bookmarks from the exported bookmarks file if it included a malicious bookmarklet.
  • Fixed an issue with drag-and-drop. (CVE-2022-22756)
  • Fixed a potential crash due to truncated WAV files.
  • Fixed a memory safety issue with XSLT. (CVE-2022-26485)

v29.4.4 (2022-01-18)

This is a security update.

Changes/fixes:
  • Improved application library loading security. DiD
  • Fixed an issue in JavaScript serialization. DiD
  • Fixed a potential out-of-bounds issue in IndexedDB. DiD
  • Fixed a potential issue in widget data handling code. DiD
  • Fixed potentially exploitable crashes in handling truncated/corrupt media files or streams.
  • Fixed an issue in the DOM FileReader code.
  • Updated NSS to 3.52.3 to address a security issue.
  • Fixed the following security issues: CVE-2022-22736, CVE-2022-22741, CVE-2021-4140, CVE-2022-22746, CVE-2022-22744 and CVE-2022-22747.
  • Unified XUL Platform Mozilla Security Patch Summary: 8 fixed, 4 DiD, 17 not applicable.

Important note about v30.0.0 and v30.0.1
The milestone release version has been recalled. If you are still running v30.0.* of Pale Moon Please upgrade as soon as possible. If you have any extensions installed that have been converted to an -fxguid version you should re-install them from our add-ons site with a compatible version.


You can find the release notes for previous releases of Pale Moon on the Archived Release Notes page.

Site and contents Copyright © 2009-2022 Moonchild Productions - All rights reserved
Pale Moon is subject to the following licensing.
Policies: Cookies - User Content - Privacy.