Pale Moon: Release notes
DiD This means that
a fix is "Defense-in-Depth": It is a fix that does not apply to a
(potentially) actively exploitable vulnerability in Pale Moon, but
prevents future vulnerabilities caused by the same code, e.g. when
surrounding code changes, exposing the problem, or when new attack
vectors are discovered.
This is a small bugfix update addressing 2 more important issues in
- Fixed an issue with browser migration and initialization
code causing various browser run-time problems.
- Fixed an issue with cache behavior where some users would
have trouble having their windows and tabs restored in "soft refresh"
mode (see v28.9.0 release notes).
To solve this, we reverted to the previous (pull from cache) mode for
now while we investigate the cause.
This is a small update to address a breaking issue with user-agent
override strings, causing problems on certain websites for a number of
This is a major development update.
- Implemented asynchronous iterators (
for await loops) (ES2018)
- Implemented promise-based media playback.
- Implemented non-standard legacy CSSStyleSheet rules
- Implemented the html5
To switch this on, flip
- Implemented the optional hiding of pinned tabs in
CtrlTab/AllTab panes. (controlled through the preferences
- Added 1.25x playback speed to html media elements.
- Added a hidden pref (
to control the sizes of default smart bookmarks categories.
document.open() with the overhauled
- Aligned the way DOM styles are computed with mainstream
- Removed the (unused) DOM promise implementation.
- Enabled seeking to next frame in media files.
- Enabled dynamic UA updates for emergency use.
- Implemented rule processing stub for
- Increased the maximum XML nesting depth to 2048 levels for extreme corner cases
and to conservatively align with other browsers.
- Improved the privacy of geolocation lookup calls, with
thanks to a generous service donation from ip-api.com
- Improved reporting of the operating system in site-specific
- Improved table drawing performance again after the rewrite
for sticky positioning making it slower.
- Updated CSP processing to allow custom scheme wildcards to
be specified without a port.
- Aligned the behavior of outlines with other browsers when
dealing with CSS-repositioned elements.
- Changed the way hardware acceleration is controlled from
- Changed the default monospace font for main languages from Courier New to Consolas.
This provides a more balanced font for fixed-width text that is
slightly more condensed and more in line with the naturally compacter
variable-width fonts used everywhere else.
- Changed the browser's behavior when restoring tabs from
previous sessions. To prevent stale pages, it will now by default
perform a "soft refresh" of the page instead of drawing it purely from
cache without checking if the page needs updating. If you prefer the
old behavior, set
- Updated NSPR to 4.24 and NSS to ~3.48.1-RTM, removing the
previous custom patch level with NSS being able to support custom
rounds for DBM now.
For extensive release notes with all NSS changes, see NSS_Releases
- Implemented an NSS performance optimization for Master
Password use with limited effect.
- Fixed some potential crashing scenarios with WebGL on Linux.
- Completely removed
- Disabled some logging in production builds.
- Removed various gadgeteering/redundant/dead DOM APIs
- Removed support for a number of critical libraries being
- Removed "Copy raw data" button from the troubleshooting
information page, since it's never used by us in that format, and users
mistakenly keep using it instead of copying text.
- Removed a bunch of Android and iOS support code.
- Fixed an issue with form elements sometimes being
- Fixed several crashes.
- Fixed an issue with Captive Portal detection sometimes
firing even when disabled by the user.
- Performed various tree-wide code cleanups.
- Backed out a large code cleanup patch for causing subtle
issues in website operation (e.g. WordPress). This will have to be
revisited later; the reintroduced code is not in use in practice.
- Cleaned up the application updater code.
- Fixed a potential pointer issue in cubeb. DiD
- Disabled allowing remote
jar: URIs by default
for security reasons. If you need this functionality for your
non-standard environment, you can enable it with the preference
but please consider moving away from this method of providing web-based
- Removed a potentially dangerous and otherwise ineffective
- Fixed unwanted behavior where created/focused pop-up
windows could potentially cover the DOM fullscreen notification, hiding
it from users. (CVE-2020-6810)
- Fixed an issue where copying data as a curl request from
developer tools would not properly escape parameters. (CVE-2020-6811)
- Updated our sctp library code with several upstream fixes.
- Unified XUL Platform Mozilla Security Patch Summary: 4
fixed, 3 already mitigated, 1 rejected, 11 not applicable.
This is a small security and compatibility update.
- Implemented optional catch binding (ES2019).
- Fixed a hazardous crash related to module scripting
This is a regular maintenance bugfix and security release.
- Fixed an issue in CSP blocking requests without a port for
- Fixed a potentially hazardous crash in layers.
- Fixed random crashes on some sites using IndexedDB.
- Changed the way the application can be invoked from the
command-line to prevent a whole class of potential exploits involving
If your special-needs environment
requires that you launch the browser with custom browser/gre omnijars
from the command-line, you must
set the UXP_CUSTOM_OMNI
environment variable before launch from this point forward.
- Fixed an issue in the html parser after using HTML5
not be allowed, risking XSS vulnerabilities on sites relying on correct
operation of the browser. (CVE-2020-6798)
- Unified XUL Platform Mozilla Security Patch Summary: 2
fixed, 2 DiD, 10 not applicable.
This is a minor release in response to YouTube deprecating their old
web UI. This change will enable the new YouTube UI by default.
This is a small bugfix and compatibility update.
lookarounds since the implementation caused crashes. We'll have to
revisit this later.
- Fixed an issue where FTP servers would hang the browser if
they were not sending answers according to the protocol specification.
- Added a workaround for GitHub trying to enforce more
Google-isms (which we don't support at this time) to browsers that
identify as "Firefox-alike".
This is an important security and stability release. Please update your
browser to this version as soon as possible.
- Fixed a sampling issue in libsoundtouch (DiD)
- Fixed an issue with a new upcoming Windows 10 feature not
honoring Private Browsing mode by default (DiD)
- Fixed several stability and memory safety hazards. (DiD)
- Fixed an issue where files could inadvertently be executed
with the designated file type handler instead of opened.
lead to exploitable crashes. (CVE-2019-17026)
- Unified XUL Platform Mozilla Security Patch Summary: 2
fixed, 7 DiD, 12 not applicable.
This is a major development release. Many things have been improved,
some landmark features have been added/enabled, and many libraries have
been updated for added stability and performance. We hope you are as
happy with this progress as we are!
All the best wishes for the Holidays to everyone!
- Added support for modern Solaris operating systems like
Illumos (thanks Athenian200!).
position:sticky for table parts -
You can now use CSS to e.g. stick table headers so they don't scroll
off the screen!
- Enabled basic implementation of module type scripting.
While not fully spec compliant (yet), this will fix the few web
compatibility issues with sites that rely on this feature without
fallback (e.g. the Chromium bugtracker).
- Implemented Regular Expression lookbehind (ES2018).
- Implemented Regular Expression /s flag (dotAll support)
- Added Ekoru to the list of default search engines. This is
a Bing-backed search engine that donates the majority of its revenue to
various charities that support the planet and animals. An
environment-supporting alternative to Ecosia if you don't want to
support Google in the process.
- Changed the way tables are rendered to fix a number of spec
compliance issues and allow relative positioning of table parts.
- Now building against the Windows 10 SDK 10.0.17763.132 for
increased compatibility with Windows 10 and improved Spectre mitigation.
- Removed the unused DiskSpaceWatcher component.
- Updated cairo code.
- Updated SQLite to 3.30.1.
- Updated the Brotli library to 1.0.7.
- Updated the woff2 library to 1.0.2.
- Updated the OpenType Sanitizer to 8.0.0.
- Updated the embedded Emoji font to Mozilla's COLR-mapped
twemoji 0.5.0 (Twemoji 12.1.3), to support Emoji 12.
- Improved CSS grid rendering.
- Changed packaging for archives to use 7z/xz instead of
- Made the second argument of (DOM/CSS)
optional for (Chrome) web compatibility.
- Removed the non-standard
functions. Please note that this may affect some extensions; those will
need to be updated to no longer use these non-standard functions.
- Fixed the status bar module to work around an issue with
- Fixed a build failure in the libcubeb sndio module.
- Fixed a small oversight in the release branch that would
potentially still mark "jnlp" (Java Web Start) files as executable.
- Fixed the certificate retrieval logic in the certificate
- Fixed an issue with add-ons potentially getting confused
during add-on updates due to cached scripts.
- Fixed a crash due to unnecessary reparenting calls in
- Reinstated the mentioning of the number of
accelerated/total windows in Troubleshooting Information, for
- Moved the embedded font for Emoji from application to
platform so all UXP applications can easily benefit from it (thanks
- Cleaned up the jemalloc code: Removed dead/unused code,
removed conditionals around "always on" code, and made the allocator
- Removed the silent fallback to insecure install locations
Pale Moon will no longer by default install into unprotected program
locations (this was a regression in v28).
If your operating system account does not have the necessary
privileges, you need to manually select an accessible folder to install
into. This is important to prevent malware from modifying installed
programs in well-known but otherwise unprotected installation locations.
- Added a preference for, and disabled, the confirmation
for URL authentication (prevents evil traps).
- Disabled the use of HPKP by default due to the inherent
risks involved with this feature. A preference was added to completely
disable header processing, and using preloaded pins is effectively
disabled. Please note that this is automatically disabled by default
for everyone, regardless of your previous setting for this feature, and
it is strongly recommended you keep this feature disabled. HPKP will
eventually be removed (overall Internet concensus).
- Fixed a potential issue when interacting with plugins. (DiD)
- Fixed a potential crash scenario when reading PAC
- Fixed a potential issue with text selection painting. (DiD)
- Fixed an issue with element references not being properly
- Fixed an issue with incorrect saving of web pages as text.
- Fixed a potential issue with clipboard handling. (DiD)
- Fixed a potential issue with attaching the debugger to web
- Updated NSS to 3.41.4 to address CVE-2019-11756 and
- Unified XUL Platform Mozilla Security Patch Summary: 2
fixed, 8 DiD, 16 not applicable.
This is a security and bugfix update.
- Disabled the use of ICC color profiles for images on Linux
- Updated timezone data for internationalization functions.
- Fixed the option to use hardware acceleration over RDP for
Windows 8.1 and 10.
- Fixed an issue with inner window navigation potentially
- Fixed a startup crash caused by Qihoo 360 Safeguard/360
- Ported some expat parser fixes from upstream.
- Ported several NSS upstream fixes to our build.
- Aligned handling of U+0000 in the html5 parser with
- Added size checks to WebGL data buffering.
- Fixed build issues with newer glibc versions.
- Fixed build issues for ARM targets.
- Worked around a gcc9 compiler issue that would prevent
building with it.
- Sec bug fixes: CVE-2019-15903, CVE-2019-11757,
CVE-2019-11763 and several potentially exploitable crashes and memory
safety hazards that don't have a CVE number.
- Unified XUL Platform Mozilla Security Patch Summary: 6
fixed, 6 DiD, 1 rejected, 24 not applicable.
This is a security and bugfix update.
- Fixed an issue where saving a webpage to disk would
sometimes drop tags from the document.
- Fixed an issue with click-to-play plugin content throwing
up a blank notification.
- Fixed an issue in the renderer where region intersections
would sometimes return the wrong result.
This fixes a regression caused by the fix for CVE-2016-5252.
- Fixed security issues: CVE-2019-11744, CVE-2019-11752,
CVE-2019-11737, CVE-2019-11746, CVE-2019-11750, CVE-2019-11747 and
- Unified XUL Platform Mozilla Security Patch Summary: 7
fixed, 1 DiD, 1 already covered, 22 not applicable.
engine overhaul and improvement, implementing several website-impacting
changes. It should be noted that these changes follow some revisions of
specifications (also adopted by mainstream browsers) that are not
necessarily backwards compatible for web content as some scripting
behavior has changed. If you are targeting Pale Moon specifically (e.g.
through ua sniffing) please check and verify the behavior is still as
targeted goal brings our ES6 stringification fully in line with the
ES2018 revision for classes, and implements rest/spread parameters for
object literals. (Cheers to Luke!)
- Fixed a crash with the tuned-up parser code when certain
error messages were triggered.
- Aligned browser behavior with mainstream regarding inner
window behavior when domain is manipulated.
- Improved performance dealing with frame properties.
- Improved performance for handling html5 strings.
- Improved performance of image content loading.
- Fixed potential type confusion in array joins.
- Fixed an issue on some pages causing high CPU usage when
wrongly specifying plugin content.
- Fixed an issue with the add-ons manager "discover" pane if
no network connection is present.
- Fixed an issue with bookmark/history search results
offering context menu options that would be invalid without a selection.
- Fixed the devtools JSON viewer and enabled it by default.
- Fixed searching from
about:home not working
for search plugins using the
- Fixed an issue with the checkboxes for location bar
- Fixed SVG alignment issues if SVG-containing elements fall
on odd pixel sizes, causing blurry display of especially small SVGs
SVGs will now always be pixel-snapped to provide expected crisp display.
- Fixed precompilation of Sync client modules when packaging.
This also removes the redundant
- Added support for matroska containers and h264-based webm
- Added support for AAC audio in matroska and webm video
- Added support for spaces in the Mac package and application
- Added an exception to the unique file origin policy for
- Added native file picker support for xdg on Linux.
- Updated the default bookmark icons.
- Updated the SQLite lib to 3.29.0.
- Removed e10s information from about:troubleshooting.
- Removed hotfix leftovers.
- Removed the WebIDE developer tool.
- Removed conditional build-time disabling of the Pale Moon
status bar code.
- Removed "Delete this page" and "Forget about this site"
links from live bookmarks (since they make no sense on feeds).
- Removed the Financial Times' polyfill user-agent override
since they updated their detection to work with Pale Moon.
Release notes for older versions than those listed here
You can find the release notes for previous releases of Pale Moon on
the Archived Versions Release