Pale Moon: Release notes
DiD This means that
a fix is "Defense-in-Depth": It is a fix that does not apply to a
(potentially) actively exploitable vulnerability in Pale Moon, but
prevents future vulnerabilities caused by the same code, e.g. when
surrounding code changes, exposing the problem, or when new attack
vectors are discovered.
This is a security update.
- Improved application library loading security. DiD
- Fixed a potential out-of-bounds issue in IndexedDB. DiD
- Fixed a potential issue in widget data handling code. DiD
- Fixed potentially exploitable crashes in handling
truncated/corrupt media files or streams.
- Fixed an issue in the DOM FileReader code.
- Updated NSS to 3.52.3 to address a security issue.
- Fixed the following security issues: CVE-2022-22736,
CVE-2022-22741, CVE-2021-4140, CVE-2022-22746, CVE-2022-22744 and
- Unified XUL Platform Mozilla Security Patch Summary: 8
fixed, 4 DiD,
17 not applicable.
This is a security update with a few extras.
This update reinstates FUEL again for old extension compatibility. See
- Restored the FUEL abstraction library again.
- Added some extra sanity checks to timers and text
- Added a potential crash safeguard in program threading
- Fixed the following security issues: CVE-2021-43537,
CVE-2021-43541, CVE-2021-43536, CVE-2021-43545 and CVE-2021-43542.
- Unified XUL Platform Mozilla Security Patch Summary: 5
fixed, 3 DiD,
10 not applicable.
- Despite being removed in 29.4.0 and 29.4.2, the long-since
deprecated FUEL abstraction functions inside Pale Moon have been
restored again after considerable blowback from the community and lack
of effort to fix afflicted extensions. It was decided to just restore
this indefinitely in the end, since it serves no-one to have users be
forced to do without or stay on insecure versions of the browser for
something nobody seems to want to address in the extension ecosystem.
A more in-depth announcement about a change in direction tying in with
this note can be found on the
This is a small update to address the folowing issue:
Autocomplete drop-downs would have uncorrect styling, causing issues
with custom themes (e.g. unreadable) and not displaying as-intended.
This is a security update.
Security notice: If you
have enabled HTTP Alternative
Services for Opportunistic Encryption, it is strongly
recommended you disable this
at this time through Preferences -> Security ->
Opportunistic Encryption -> Enable HTTP Alternative Services for
Opportunistic Encryption. This inherently weak transitional
technology for http -> https has been compromised and can be abused
(partial opt-in bypass). Note that our platform default for this
setting (and any other OE) is disabled due to these kinds of inherent
risks, as well as lack of transparency about the connection and server
contacted. See CVE-2021-38507 for more details about this problem.
- Fixed a spec compliance issue with IDN that could
potentially cause confusion of domain names.
- Fixed several intermittent thread sanity issues. DiD
- Fixed a potential UAF risk in certain situations in
- Fixed a potential crash risk (not exposed). DiD
- Fixed a potential spoofing risk using form validation.
- Fixed a script sandbox escape issue through XSLT.
- Added a preference to enable compatibility mode with
earlier TLS 1.3 specifications. See implementation notes.
- Unified XUL Platform Mozilla Security Patch Summary: 3
fixed, 1 already applied, 4 DiD, 7 not applicable.
- A preference (
was added to allow users to enable TLS 1.3 compatibility mode that uses
an older draft specification of the protocol. A restart of the browser
is required when you change this preference. Please note that you
should only use this option if you strictly require it for e.g.
outdated proxies, load-balancers or middleware, as it potentially
weakens your connection security.
- FUEL was removed (again). If extensions that used FUEL
weren't updated to account for this since the clear warning 3 months
ago when we removed it in 29.4.0 and temporarily reinstated it to give
extension developers more time to address this issue, then they will no
longer function properly with this release.
This is a security update.
- Fixed potential crashes. DiD
- Fixed a potential indirect exploit of Microsoft Internet
- Unified XUL Platform Mozilla Security Patch Summary: 1
fixed, 2 DiD, 8 not applicable.
This is an out-of-band update to address the issue that in rare
occasions on both Linux and Windows, audio would stop working (e.g. for
playing videos or MP3s). We're still investigating the root cause of
this issue on Windows (Linux cause was already found) but have
temporarily reverted to our previous audio library (libcubeb) version
for this release to provide a proper media experience for our users in
This is an out-of-band update to address the following issue:
In 29.4.0, the optional FUEL component (long since deprecated precursor
to the Mozilla Add-On SDK) was removed from Pale Moon. This had
unexpected impact on a number of popular extensions as well as a few
bits of core functionality that went unnoticed in our pre-release
testing and unstable channel.
As part of our commitment to resolving issues and giving extension
developers some more time to address any problems with this removal of
the component from the browser, this update temporarily restores the
If you are an extension developer relying on FUEL components or
namespaces (e.g. implicit 'Application'), please update your extension
before the next major release.
This is a development, bugfix and security release. Our release
schedule was adjusted here to provide web compatibility improvements
and not just a security update this month.
- Implemented global
origin on windows and
- Improved performance of memory allocations.
- Updated libcubeb to the current development version.
This improves OSS compatibility and addresses potential crashes,
performance issues and security issues.
- Updated SQLite to 3.36.0.
- Improved thread safety of the web content cache. DiD
- Added several fixes to avoid potential crashes and security
- Unified XUL Platform Mozilla Security Patch Summary: 5 DiD,
12 not applicable.
This is a development, bugfix and security release.
- "Web Developer" is now called "Developer Tools" in the
- Updated and aligned about:home, the QuickDial page and
- Re-organized the privacy category in the preferences window.
- Enabled brotli compression for http for sites that support
it. See implementation notes.
EventTarget as a constructor.
- Updated Windows 10 toolkit styling.
- Updated the port blacklist (removed 10080). See
- CSS: Implemented
calc() and animation support
- Added support for checking boolean preferences to chrome
CSS style sheets, to support more advanced theming options.
- Added support for dynamic dark color capable themes in CSS.
- Updated ResizeObserver implementation to a more recent
specification. See implementation notes.
- Removed a metric ton of Macintosh code.
- Removed obsolete system theme support from the layout
- Fixed several crashes.
- Linux: blocked particularly old versions of Mesa/Nouveau
drivers due to issues.
- Security issues addressed: CVE-2021-30547 and several other
issues that don't have a CVE number.
- Unified XUL Platform Mozilla Security Patch Summary: 3
fixed, 3 DiD, 2 deferred (DiD), 12 not applicable.
- Brotli compression (introduced a few years back) has
originally been restricted to https only in web browsers because there
was some concern about interaction with middleware boxes with poor
design trying to transparently recompress data not recognizing the new
compression stream type and causing failures. The kind of processing
done in those boxes (SDCH) has long since been deprecated. Since then,
the segregation for Brotli between http and https has been maintained
by Chrome and Firefox as a vessel to further promote https over http by
artificially keeping http less efficient (denying the use of the more
dense Brotli compression). Since there is no technical reason not to
enable Brotli over http, we will accept (by way of
Brotli over plain http from this version on, offering up to 20% less
bandwidth use when servers also support it.
- We maintain a blacklist of ports that should not be
addressed from a browser (primarily to prevent scripted abuse). Not too
long ago we updated these ports with a number of additional (higher
range) ones, including port 10080 (Amanda). Unfortunately there is too
much overlap with other common services/devices that also use this
(arbitrarily chosen) port, so we've removed this particular port again
from our blacklist.
ResizeObserver implementation was changed
to now support the updated specification for this API, including the
which allows finer control to respond to size changes of elements. The
old spec sizing property of
contentRect remains supported
for web compatibility.
This is a small bugfix release.
There were no security issues that applied to UXP or Pale Moon this
- Worked around an issue with autocomplete popups sometimes
failing to work (and added some debug console logging to it in case it
happens to help find the root cause)
- Fixed an issue with DOM mouse scrolling throwing errors.
- Fixed a race with network detection routines firing
incorrectly when resuming from standby.
- Fixed a crash when using large uploads through DOM.
- Fixed an issue where the menulist-button on editable
menulist widgets was not visible on GTK3.
- Reduced the number of reported "important preferences" in
troubleshooting information, excluding individual printer details.
- Fixed an issue with the JS JIT compiler not tracing
debugger environments (DiD).
This is a development and bugfix release.
Starting with this version, we will no longer be supporting
unmaintained legacy Firefox extensions that are not updated
for/targeting Pale Moon directly.
Please see this forum post for details.
- When opening tabs from the History side bar, Pale Moon will
now warn you about the action if it would result in opening many tabs
- Pale Moon now offers "Open All in Tabs" on bookmark folders
even if there is only one sub-item in it, for UI consistency.
- Added media format controls in the Content category of
- Added controls for preferred color scheme. See
- Updated several site-specific user-agent overrides for web
- Removed the ability to accept Firefox IDs for extension
- Removed conditional Macintosh code from the application
- Updated the AV1 reference library to 2.0.
- Cleaned up more Android code from the platform.
- Updated the embedded emoji font to cater to even more
race-dependent profession emoji.
- Fixed an overflow in clip paths, potentially causing them
to be rendered incorrectly.
- Added CSS values
pixelated to the
to allow deconstruction of localized number formats by scripts.
- Reinstated the
preference and fixed a rendering issue with summary/details html
- Fixed an issue with CSP
.nonce attributes on
- Security issues addressed: CVE-2021-29946 DiD and CVE-2021-23994 DiD .
- Unified XUL Platform Mozilla Security Patch Summary: 2 DiD,
14 not applicable.
- This version adds support for the
CSS keyword. This keyword is a media query keyword that indicates to
websites whether your content styling preference is "light" or "dark".
Unlike other browsers where this will be tied to your system color
scheme and determined automatically (which might be a point on which
you can be fingerprinted, so this would be a privacy concern), we've
decided to give the user control through Preferences -> Content
-> Colors where you will find a new control to indicate your user
preference (it defaults to "light" for everyone). While this control
also gives you the option to disable this feature and effectively not
support the keyword, be aware that this might cause issues on some
websites that do not provide styling for "unspecified" color scheme
In the future we may add an
"automatic" option similar to other browsers in case you regularly
switch your system application style from light to dark and v.v.
Release notes for older versions than those listed here
You can find the release notes for previous releases of Pale Moon on
the Archived Release