Pale Moon: Release notes

General note:
DiD This means that a fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

v29.4.4 (2022-01-18)

This is a security update.

  • Improved application library loading security. DiD
  • Fixed an issue in JavaScript serialization. DiD
  • Fixed a potential out-of-bounds issue in IndexedDB. DiD
  • Fixed a potential issue in widget data handling code. DiD
  • Fixed potentially exploitable crashes in handling truncated/corrupt media files or streams.
  • Fixed an issue in the DOM FileReader code.
  • Updated NSS to 3.52.3 to address a security issue.
  • Fixed the following security issues: CVE-2022-22736, CVE-2022-22741, CVE-2021-4140, CVE-2022-22746, CVE-2022-22744 and CVE-2022-22747.
  • Unified XUL Platform Mozilla Security Patch Summary: 8 fixed, 4 DiD, 17 not applicable.

v29.4.3 (2021-12-14)

This is a security update with a few extras.
This update reinstates FUEL again for old extension compatibility. See implementation notes.

  • Restored the FUEL abstraction library again.
  • Added some extra sanity checks to timers and text fragments. DiD
  • Added a potential crash safeguard in program threading logic. DiD
  • Fixed the following security issues: CVE-2021-43537, CVE-2021-43541, CVE-2021-43536, CVE-2021-43545 and CVE-2021-43542.
  • Unified XUL Platform Mozilla Security Patch Summary: 5 fixed, 3 DiD, 10 not applicable.
Implementation notes:
  • Despite being removed in 29.4.0 and 29.4.2, the long-since deprecated FUEL abstraction functions inside Pale Moon have been restored again after considerable blowback from the community and lack of effort to fix afflicted extensions. It was decided to just restore this indefinitely in the end, since it serves no-one to have users be forced to do without or stay on insecure versions of the browser for something nobody seems to want to address in the extension ecosystem. A more in-depth announcement about a change in direction tying in with this note can be found on the forum.

v29.4.2.1 (2021-11-11)

This is a small update to address the folowing issue:
Autocomplete drop-downs would have uncorrect styling, causing issues with custom themes (e.g. unreadable) and not displaying as-intended.

v29.4.2 (2021-11-09)

This is a security update.

  • Fixed a spec compliance issue with IDN that could potentially cause confusion of domain names.
  • Fixed several intermittent thread sanity issues. DiD
  • Fixed a potential UAF risk in certain situations in networking. DiD
  • Fixed a potential crash risk (not exposed). DiD
  • Fixed a potential spoofing risk using form validation. (CVE-2021-38508)
  • Fixed a script sandbox escape issue through XSLT. (CVE-2021-38503)
  • Added a preference to enable compatibility mode with earlier TLS 1.3 specifications. See implementation notes.
  • Unified XUL Platform Mozilla Security Patch Summary: 3 fixed, 1 already applied, 4 DiD, 7 not applicable.
Security notice: If you have enabled HTTP Alternative Services for Opportunistic Encryption, it is strongly recommended you disable this at this time through Preferences -> Security -> Opportunistic Encryption -> Enable HTTP Alternative Services for Opportunistic Encryption. This inherently weak transitional technology for http -> https has been compromised and can be abused (partial opt-in bypass). Note that our platform default for this setting (and any other OE) is disabled due to these kinds of inherent risks, as well as lack of transparency about the connection and server contacted. See CVE-2021-38507 for more details about this problem.

Implementation notes:
  • A preference (security.ssl.enable_tls13_compat_mode) was added to allow users to enable TLS 1.3 compatibility mode that uses an older draft specification of the protocol. A restart of the browser is required when you change this preference. Please note that you should only use this option if you strictly require it for e.g. outdated proxies, load-balancers or middleware, as it potentially weakens your connection security.
  • FUEL was removed (again). If extensions that used FUEL weren't updated to account for this since the clear warning 3 months ago when we removed it in 29.4.0 and temporarily reinstated it to give extension developers more time to address this issue, then they will no longer function properly with this release.

v29.4.1 (2021-09-14)

This is a security update.

  • Fixed potential crashes. DiD
  • Fixed a potential indirect exploit of Microsoft Internet Explorer. (CVE-2021-38492)
  • Unified XUL Platform Mozilla Security Patch Summary: 1 fixed, 2 DiD, 8 not applicable.

v29.4.0.2 (2021-08-23)

This is an out-of-band update to address the issue that in rare occasions on both Linux and Windows, audio would stop working (e.g. for playing videos or MP3s). We're still investigating the root cause of this issue on Windows (Linux cause was already found) but have temporarily reverted to our previous audio library (libcubeb) version for this release to provide a proper media experience for our users in the interim.

v29.4.0.1 (2021-08-18)

This is an out-of-band update to address the following issue:
In 29.4.0, the optional FUEL component (long since deprecated precursor to the Mozilla Add-On SDK) was removed from Pale Moon. This had unexpected impact on a number of popular extensions as well as a few bits of core functionality that went unnoticed in our pre-release testing and unstable channel.
As part of our commitment to resolving issues and giving extension developers some more time to address any problems with this removal of the component from the browser, this update temporarily restores the FUEL component.
If you are an extension developer relying on FUEL components or namespaces (e.g. implicit 'Application'), please update your extension before the next major release.

v29.4.0 (2021-08-17)

This is a development, bugfix and security release. Our release schedule was adjusted here to provide web compatibility improvements and not just a security update this month.

  • Implemented promise.allSettled().
  • Implemented global origin on windows and workers.
  • Improved performance of memory allocations.
  • Updated libcubeb to the current development version.
    This improves OSS compatibility and addresses potential crashes, performance issues and security issues.
  • Updated SQLite to 3.36.0.
  • Improved thread safety of the web content cache. DiD
  • Added several fixes to avoid potential crashes and security issues. DiD
  • Unified XUL Platform Mozilla Security Patch Summary: 5 DiD, 12 not applicable.

v29.3.0 (2021-07-19/20)

This is a development, bugfix and security release.

  • "Web Developer" is now called "Developer Tools" in the menus.
  • Updated and aligned about:home, the QuickDial page and logopage styling.
  • Re-organized the privacy category in the preferences window.
  • Enabled brotli compression for http for sites that support it. See implementation notes.
  • Implemented EventTarget as a constructor.
  • Updated Windows 10 toolkit styling.
  • Updated the port blacklist (removed 10080). See implementation notes.
  • CSS: Implemented calc() and animation support for stroke-dashoffset.
  • Added support for checking boolean preferences to chrome CSS style sheets, to support more advanced theming options.
  • Added support for dynamic dark color capable themes in CSS.
  • Updated ResizeObserver implementation to a more recent specification. See implementation notes.
  • Removed a metric ton of Macintosh code.
  • Removed obsolete system theme support from the layout engine.
  • Fixed several crashes.
  • Linux: blocked particularly old versions of Mesa/Nouveau drivers due to issues.
  • Security issues addressed: CVE-2021-30547 and several other issues that don't have a CVE number.
  • Unified XUL Platform Mozilla Security Patch Summary: 3 fixed, 3 DiD, 2 deferred (DiD), 12 not applicable.
Implementation notes:
  • Brotli compression (introduced a few years back) has originally been restricted to https only in web browsers because there was some concern about interaction with middleware boxes with poor design trying to transparently recompress data not recognizing the new compression stream type and causing failures. The kind of processing done in those boxes (SDCH) has long since been deprecated. Since then, the segregation for Brotli between http and https has been maintained by Chrome and Firefox as a vessel to further promote https over http by artificially keeping http less efficient (denying the use of the more dense Brotli compression). Since there is no technical reason not to enable Brotli over http, we will accept (by way of Accept-encoding) Brotli over plain http from this version on, offering up to 20% less bandwidth use when servers also support it.
  • We maintain a blacklist of ports that should not be addressed from a browser (primarily to prevent scripted abuse). Not too long ago we updated these ports with a number of additional (higher range) ones, including port 10080 (Amanda). Unfortunately there is too much overlap with other common services/devices that also use this (arbitrarily chosen) port, so we've removed this particular port again from our blacklist.
  • The ResizeObserver implementation was changed to now support the updated specification for this API, including the experimental properties contentBoxSize and borderBoxSize which allows finer control to respond to size changes of elements. The old spec sizing property of contentRect remains supported for web compatibility.

v29.2.1 (2021-06-08)

This is a small bugfix release.

  • Worked around an issue with autocomplete popups sometimes failing to work (and added some debug console logging to it in case it happens to help find the root cause)
  • Fixed an issue with DOM mouse scrolling throwing errors.
  • Fixed a race with network detection routines firing incorrectly when resuming from standby.
  • Fixed a crash when using large uploads through DOM.
  • Fixed an issue where the menulist-button on editable menulist widgets was not visible on GTK3.
  • Reduced the number of reported "important preferences" in troubleshooting information, excluding individual printer details.
  • Fixed an issue with the JS JIT compiler not tracing debugger environments (DiD).
There were no security issues that applied to UXP or Pale Moon this release cycle.

v29.2.0 (2021-04-27)

This is a development and bugfix release.
Starting with this version, we will no longer be supporting unmaintained legacy Firefox extensions that are not updated for/targeting Pale Moon directly.
Please see this forum post for details.

  • When opening tabs from the History side bar, Pale Moon will now warn you about the action if it would result in opening many tabs at once.
  • Pale Moon now offers "Open All in Tabs" on bookmark folders even if there is only one sub-item in it, for UI consistency.
  • Added media format controls in the Content category of Preferences.
  • Added controls for preferred color scheme. See implementation notes.
  • Updated several site-specific user-agent overrides for web compatibility.
  • Removed the ability to accept Firefox IDs for extension installation.
  • Removed conditional Macintosh code from the application front-end.
  • Updated the AV1 reference library to 2.0.
  • Cleaned up more Android code from the platform.
  • Updated the embedded emoji font to cater to even more race-dependent profession emoji.
  • Fixed an overflow in clip paths, potentially causing them to be rendered incorrectly.
  • Added CSS values smooth, high-quality and pixelated to the image-rendering keyword.
  • Implemented Intl.NumberFormat.formatToParts() to allow deconstruction of localized number formats by scripts.
  • Reinstated the dom.details_element.enabled preference and fixed a rendering issue with summary/details html elements.
  • Fixed an issue with CSP .nonce attributes on elements.
  • Security issues addressed: CVE-2021-29946 DiD and CVE-2021-23994 DiD .
  • Unified XUL Platform Mozilla Security Patch Summary: 2 DiD, 14 not applicable.
Implementation notes:
  • This version adds support for the prefers-color-scheme CSS keyword. This keyword is a media query keyword that indicates to websites whether your content styling preference is "light" or "dark". Unlike other browsers where this will be tied to your system color scheme and determined automatically (which might be a point on which you can be fingerprinted, so this would be a privacy concern), we've decided to give the user control through Preferences -> Content -> Colors where you will find a new control to indicate your user preference (it defaults to "light" for everyone). While this control also gives you the option to disable this feature and effectively not support the keyword, be aware that this might cause issues on some websites that do not provide styling for "unspecified" color scheme preferences.
    In the future we may add an "automatic" option similar to other browsers in case you regularly switch your system application style from light to dark and v.v.

Release notes for older versions than those listed here

You can find the release notes for previous releases of Pale Moon on the Archived Release Notes page.

Site and contents Copyright © 2009-2022 Moonchild Productions - All rights reserved
Pale Moon is subject to the following licensing.
Policies: Cookies - User Content - Privacy.