Pale Moon: Release notes
This is a security and stability update.
DiD This means that
the fix is "Defense-in-Depth": It is a fix that does not apply to a
(potentially) actively exploitable vulnerability in Pale Moon, but
prevents future vulnerabilities caused by the same code, e.g. when
surrounding code changes, exposing the problem, or when new attack
vectors are discovered.
- Changed the
behavior to only check "success" class server responses, for web
- Changed the performance timer resolution once more to a
granularity of 1 ms, after evaluating more potential ways of abusing
This takes the most cautious approach possible lacking more information
(because apparently NDAs have been signed over this between mainstream
players), follows Safari's lead, and should make it not just infeasible
but downright impossible to use these timers for nefarious purposes in
- Improved the debug-only startup cache wrapper to prevent a
- Fixed a crash in the XML parser.
- Added a check for integer overflow in
- Fixed a potential race condition in the browser cache.
- Fixed a crash in HTML media elements (CVE-2018-5102)
- Fixed a crash in XHR using workers.
- Fixed a crash with some uncommon FTP operations.
- Fixed a potential race condition in the JAR library.
This is a minor emergency update to address website breakage and a
- Added support for Array.prototype[@@unscopables].
was incomplete, which caused a number of websites (e.g. Chase on-line
banking, some Russian government sites) to display blank or not
complete loading after updating to that version of the browser. This
update should fix the problem by adding the missing part of the feature.
- Fixed an issue with the default theme causing tab borders
to be drawn too thick at higher settings for visual element scaling
(125%/150%) in Windows.
This is a stability and bugfix release, as well as adding a number of
new features to further improve web compatibility.
- Reorganized access to preferences (moved to the Tools menu
on Linux, and renamed from "Options" to "Preferences" on Windows).
- Renamed "Restart with add-ons disabled" to "Restart in Safe
Mode" to better reflect what it does.
- Worked around an issue with some improperly-encoded PNG
files not decoding after our libpng update.
- Fixed an issue on Mac builds not properly populating the
- Added "My home page" as an option for new tabs.
- Added an option to disable the 4th and 5th mouse buttons
- Improved the resetting of non-default profiles.
- Fixed an issue with details/summary having the incorrect
height if floated, breaking layouts.
- Made several more improvements to the details/summary tags
to align them with the current spec and fix some additional bugs.
- Implemented support for flex/columnset contents inside
buttons to align its behavior with other browsers.
(this should fix layout issues with Twitch's new web interface)
- Fixed an issue where CSS clone operations would draw a
- Changed the way fractional border widths are rounded to
provide more natural behavior.
- Fixed an issue where number inputs would incorrectly be
flagged as read-only.
- Added assets for tile display in the Windows start panel.
- Finished sync infra swapover by adding a one-time pref
migration for server used.
- Improved WebAudio API: Return the connected audio node from
- Added support for a default playback start position in
- Fixed an assert in cubeb-alsa code (Linux).
- Added support for media cue-change events (e.g. subtitles).
- Updated SQLite to 3.21.0.
- Fixed a crash when trying to use the platform embedded.
- Fixed devtools (gcli) screenshots on vertical-text pages.
- Fixed devtools copy as cURL for POST requests.
- Improved the HTML editor component (several bugfixes).
- Added support for ES7's exponentiation
a ** b
- Fixed an issue with arrow functions incorrectly creating an
- Disabled automatic filling in of log-in details by default
to prevent potential risks of credentials being abused (e.g. for
tracking) or stolen.
- Added a preference (in the category security) to easily
disable automatic filling in of log-in data.
- Removed the sending of referrers when opening a link in a
new private window.
- Added an option to disable the page visibility Web API (
allowing users to prevent pages from knowing whether they are being
actively displayed to the user or not.
- Removed the "ask every time" policy for cookies. For
granular control, please use any of the excellent available extensions
to regulate cookie use on a per-site or per-url basis.
- Added support for
- Changed the resolution of performance timers to a level
where any future potential abuse for hardware-timing attacks becomes
This is a security and minor bugfix update to the browser.
This will most likely be the last update for 2017, with the holidays
not far away.
- Implemented the concept of so-called "cookie-averse
document objects" which is a security&privacy measure that blocks
certain web content from setting cookies. This mitigates
cookie-injection, which might help against "hidden" cookie tracking.
- Mitigated some domain name spoofing through IDN by using
dotless-i and dotless-j with accents. (CVE-2017-7832)
Pale Moon will display these kinds of spoofed domains in punycode now
in the actual address bar.
Please note that the identity panel will always be able to help you on
secure sites when IDNs are in use to notice potential spoofing, as
opposed to relying on detection algorithms in the URL itself. As such,
some other issues like CVE-2017-7833 are already mitigated by us.
- Fixed an issue with mixed-content blocking. (CVE-2017-7835)
- Added an extra check for the correct signature data type on
- Added missing sanitization in exporting bookmarks to HTML.
- Fixed several crashes and memory safety hazards.
- Fixed the Linux load throbber image to be properly encoded,
to prevent flickering.
- Removed the shortcut key combination for restarting the
browser to avoid issues with people using certain keyboard layouts
hitting the combination and unintentionally triggering a browser
This is a minor bugfix release to address some pressing issues people
- Fixed a regression with new windows (opening two windows
from the command-line or file association, focus issues on new windows,
not loading the home page in a new window, etc.)
- Aligned XHR with the currect spec to allow
- Fixed an input element focus issue within handlers.
- Fixed the processing of all-padding HTTP/2 frames to
prevent rare HTTP/2 hangups.
- Updated CitiBank override to work around their login issues.
- Updated Netflix override to a community-supplied one that
seems to satisfy their arbitrary restrictions better.
This is a major development update.
- Dropped support for Direct2D 1.0 to avoid font rendering
issues. Windows installations not capable of using Direct2D 1.1 will
now fall back to software rendering. As a result, fonts may look
different from this version onwards if you are on Windows Vista or
Windows 7. Users on Windows 7 affected by this should install the Platform Update to re-enable Direct2D.
- Updated the Brotli decoder library, and enabled support for
Brotli HTTP content-encoding by default.
- Added notifications to inform users about WebExtensions not
being supported if they try to install them (as opposed to "extension
- Added a number of DOM childNode convenience functions. This
should fix some lazy-loading frameworks.
(enjoy your LOLcats again!)
- Changed automatic updates over to the new infrastructure.
- Added extra proxy settings in Options, covering DNS lookups
through SOCKS v5 and automatic proxy authentication with known
- Added a selectable fallback character encoding of UTF-8 and
fallback to UTF-8 as a last effort. (Issue #1423)
- Improved timing of
firing to work around a potential race condition locking up queued
- Improved upmixing of mono sound for multi-channel setups.
- Fixed a parallelization issue with the KISS-FFT library
CPU-deadlocked threads (Issue #1425)
- Fixed "Remove from history" function from the downloads
- Forced focus on the address bar in new windows if the
content is a blank/empty document.
- Fixed the dropmarker in the address bar to allow the
suggestions to be closed with a click.
- Further cleaned up the status bar code.
- Disabled window.showModalDialog; it's been removed from the
spec 2 years ago and has potential abuse issues (modal dialogs block
- Fixed image decoder calls to make sure the image load event
doesn't fire prematurely.
- Updated LibPNG to 1.6.28, and enabled faster SSE2 decoding.
- Updated WOFF2 code from upstream.
- Updated the zlib compression library.
- Made general improvements to internal code structure and
- Fixed an issue with certain command-line parameters being
- Updated the default theme to improve consistency and
contrast of toolbar and download buttons.
- Increased the default duration of notification pop-ups and
made them configurable.
- Improved handling of audio-visual media (ongoing).
- Fixed an issue in CSS where elements would sometimes reflow
to the next line even with sufficient visual space.
- Aligned the implementation of
loops with the final ES6 specification.
- Fixed the selection system inside of a nested
contenteditable element being broken.
- Fixed Windows 10 detection for blocklisting graphics
- Enabled pasting of clipboard data in documents without an
editor element to improve web compatibility.
- Fixed the uninstallation routine of restartless add-ons.
- Fixed the handling of unimplemented functions in the
- Updated the Facebook user-agent to enable otherwise
- Updated the SVG scaling cache limit to be more lenient for
larger SVG images at a small performance trade-off, working around some
sites' design issues.
- Added an option to clear Site Connectivity Data (delete
- Removed stale entries from the HSTS preload list, and
improved generation/processing of it.
- Removed undesired certificate issuer organization to common
name fallback (if issuer org is empty).
- Added pretty-printing for ECDSA-SHA224, 256, 384 and 512
hashed certificate signatures.
- Worked around some more issues with broken Apple fonts.
This is a security and stability update to the browser, as well as
fixing some issues users have indicated.
- Changed the default Windows 10 styling when no accent color
is applied to black-on-white.
- Changed the theme styling on Windows 10 when the system
window frame is used (menu bar enabled) to use the window manager
background directly, preventing visual lag updating the window color
when it changes.
- Updated user agent overrides for DropBox, YouTube and
Yahoo to work around user agent sniffing issues.
- Fixed a crash in the media subsystem.
- Fixed a regression where video playback hardware
acceleration was disabled incorrectly on some systems.
- Updated the hyphenation library to the latest upstream code
to fix a
- Updated NSPR to 4.16-RTM with a patch to un-bust building
- Updated NSS to 3.32.1-RTM.
- Worked around some more issues with Mac fonts
- Fixed a potential rooting hazard in NPAPI plugin code. DiD
This is a major update furthering general development of the browser.
- User interface:
- Added a menu option to restart the browser.
- Added Windows-specific CSS parameters and queries for the
use of the system accent color. Added are parameters
-moz-win-accentcolortext, and the media query
to know if Windows is actively using an accent color.
- Changed Windows' browser CSS sheet ot use variables
of hard-coding colors, simplifying its style and making it more
flexible. Further cleaned up the Windows 10 specific browser style.
- Changed the theme on Windows 10 to use the new accent
colors and improve O.S. consistency.
- Fixed some general inconsistencies in the Windows theme
on all Windows operating systems.
- Updated Windows widgets to be able to pick up Windows 10
accent colors dynamically and have the browser 's look and feel respond
accordingly, even with automatic color changes based on desktop
- Removed the experimental FF4 prerelease
status-in-addressbar feature because the already-crowded address bar
needs a break. This should solve some extension interop issues, theme
issues and domain highlighting issues people have reported.
- Cleaned up some dead code for the plugin updater that no
- Fixed a text direction issue in preferences.
- Fixed an issue with disabled context menu entries after
- Reorganized and cleaned up the status preferences.
- MSE Media updates (ongoing). We are focusing on improving
- Improved MP3 metadata parsing (e.g. incorrect duration
with embedded album cover)
- Fixed a number
of searching issues in MP3 files
- Fixed a few crashes.
- Fixed an issue with automatically exporting bookmarks to
HTML on shutdown.
- Fixed a regression re: domains allowed to/blocked from
- Fixed several internal errors thrown in the front-end.
- Fixed several minor issues in the devtools.
- Added a fix to prevent the home page from being loaded (and
subsequently overridden) when restoring a session.
- Added an option to control add-on blocklist behavior
(Options -> Security)
- Added DOM function
- Added DOM
- Added a basic implementation of
- Added "Open in new private window" to bookmarks, feeds and
- Added HTTP request method OPTIONS.
- Added an option to exit to a no-content page after
encountering a network or security error.
This is controlled with the preference
-- when set to
true, "Get me out of here" buttons will
load a blank page instead of the browser's home page.
- Added experimental Brotli accept-encoding (alternative
to gzip/deflate compressed http data
transfer). Disabled by default for now because it causes issues.
- Improved the handling of several CSS selectors.
- Changed session storage to remember form data for https
sites by default.
- Added (yet another) trap prevention method to
- Fixed privacy preferences not correctly resetting all
options when choosing "Remember History"
- Fixed not being able to deselect loading bookmarks in the
- Limited the display of user names and hosts in the http
auth dialog to sane lengths, preventing over-sizing issues.
- Fixed a number of potential crash points.
- Improved the security of the Windows dll loader module.
- Reinstated "Open all in tabs" option on folders of live
- Made URL matching more liberal in selected text to make it
easier to open stated addresses.
- Fixed an issue with Graphite font rendering where automatic
font collision fixing didn't always work.
- Color Management for images is now disabled by default on
Linux, due to many distributions not having a streamlined setup with
sane default ICC profiles, which makes images look worse when color
management is enabled.
- Tightened the update security check to prevent acceptance
of update manifests that have been intercepted/replaced through https
Please be aware that https-filtering antivirus may interfere with
future application updates as a result.
- Updated the ANGLE library to broaden WebGL support and
reduce the potential of crashes (due to junk being sent to the video
- Added content-sniffing for WebP images (working around
CloudFront's incorrect content-type headers).
- Fixed a problem with some H.264 media not playing (SPS NAL).
- Improved timer efficiency (switch back to lower precision
when high precision is no longer needed, reducing CPU/power
- Improved context search on selected text/links.
- Updated address bar handling with Alt or Shift modifiers,
so that "switch to tab" with a modifier can open copies of
- Added a fix on Linux for starting the browser from
- Privacy fix: Pale Moon will now clear QuotaManager storage
cache/IndexedDB data) as part of clearing Offline Website Data.
This is an out-of-band update for the portable version of the browser
This fixes a few issues in the portable shell regarding backups and
To update, please follow the recommended update procedure listed on the
Pale Moon Portable page.
This is a small update to address some security and stability issues.
- Fixed a number of crashes.
- Enabled the opt-in debugging feature to log SSL keys to a
file in all builds.
- Added a fix for TLS 1.3 handshakes causing a browser
Handshakes should be considerably faster now and no longer
stall in the wrong circumstances.
- Updated NSPR to 4.15.
- Updated NSS to 3.31.1.
- Fixed a DoS issue using overly long Username in URL scheme
- Fixed an issue where (cross domain) iframes could break
- Fixed an issue in WindowsDllDetourPatcher (CVE-2017-7804)
- Fixed an issue with elliptic curve addition in mixed
Jacobian-affine coordinates (CVE-2017-7781)
- Fixed a UAF in nsImageLoadingContent (CVE-2017-7784)
- Fixed a UAF in WebSockets (CVE-2017-7800)
- Fixed a heap-UAF in RelocateARIAOwnedIfNeeded
(accessibility is disabled)
This is a small update to address some media and web compatibility
- Fixed an issue where media playback would not use hardware
acceleration properly when using MSE.
This would cause high CPU usage and/or choppy playback for HD video on
- Fixed ES6 iterator chains to be spec-compliant.
- Fixed ES6 vector append calls and some related memory leaks.
- Added a workaround to reduce the likelihood of a potential
rare (timing-critical) crash.
This is a major update to straighten out most of the media streaming
issues, as well as adding the necessary enhancements, bugfixes and
security fixes to the browser.
- Completely re-worked the Media Source Extensions code to
make it spec compliant, and asynchronous as per specification for MSE
with MP4. This should fix playback problems on YouTube, Twitch, Vimeo
and other sites that previously had some issues. A massive thank you to
Travis for his tireless work on making this happen!
Please note that MSE+WebM (disabled by default) is not using this new
code yet (planned for the next release), and as such there is a
temporary set of things to keep in mind if you don't use default
- If you have previously enabled MSE+WebM, this setting
will be reset when you update to avoid conflicting settings with the
updated MSE code.
- We've added an extra setting in Options to disable the
updated MSE code (asynchronous use) in case you need to use WebM or are
otherwise having issues with the updated code (please let us know in
- Once again, the MSE+WebM and Asynchronous MSE use are
currently mutually exclusive. You can have one or the other, not both,
until we sort out the code for WebM. To enable MSE+WebM you will first
have to disable Asynchronouse MSE in settings (otherwise the WebM
setting will be greyed out and disabled).
- Added a control in options/preferences for HSTS and HPKP
- Changed HTML bookmark exports to write CRLF line
endings to the file on Windows.
- Leveraged multi-core rendering for libVPX (VP8/VP9 WebM
- Fixed some issues accessing DeviantArt (useragent-sniffing).
- Aligned CSS
text-align with the spec.
- Added a recovery module for browser initialization issues
(e.g. when using a wrong language pack).
- Fixed spurious console errors for XHR requests with certain
http response codes.
- Enabled v-sync aligned refresh for a smoother scrolling
- Removed support for CSS XP-theme media queries.
- Improved console error reporting.
- Fixed resetting toolbars and controls from the safe mode
- Fixed bookmark recovery option from the safe mode dialog.
- Fixed innerText getters for display:none elements.
- Fixed a GL buffer crash that might occur with certain
combinations of drivers and hardware.
- Added some more details to about:support.
- Fixed a potential crash when the last audio device is
removed during playback.
- Fixed a crash on about:support when windowless browsers are
<select> elements to blank if
the actively set value doesn't match any of the options.
- Updated the interpretation of 2-digit years in date formats
to match other browsers:
0-49 = 2000-2049, 50-99 = 1950-1999.
- Added "
q" units to CSS (quarter of a
.origin property to blobs.
- Fixed several minor layout issues.
- Fixed disabled HTML elements not producing the proper JS
- Implemented web content handler blacklist according to the
spec, allowing more than feeds to be registered.
- Fixed a spec compliance issue with execCommand() on HTML
- Fixed a problem with table borders being drawn uneven or
being omitted when zooming the page.
- Added devtools "filter URLs" option in the network panel.
- Added visual sorting options to the Network inspector.
- Added importing of login data from Chrome profiles on
Windows (Chrome has to be closed first).
- Added importing of tags from bookmark export files (HTML
- Updated usage of SourceMap headers with the updated spec
(SourceMap header, keeping X-SourceMap as a fallback).
- Fixed several cases of wrongly-used negations in JS modules.
- Added the
auxclick mouse event.
- Added a control to not autoplay video unless it is in view (media.block-play-until-visible).
the Graphite font library to 1.3.10.
how image and media elements respond to window size changes (responsive
parsing and use of rotation meta data in video.
several crashes in a number of modules.
performance regression for scaling large vector images (e.g. MSIE
Chalkboard test) \o/
- Fixed some
issues with notification icons.
- Fixed some
internal errors with live bookmarks.
SQLite to 3.19.3.
several reported issues with devtools (cli-cookies, cli help, copying
cURL, inspecting SVGs, element size calculations, etc.)
- Fixed an
issue where a server response was allowed to override add-ons'
specified version ranges even for add-ons that have strict
compatibility (e.g. themes, language packs).
- Removed preloading of HPKP hosts and enabled HPKP header
- Added support for TLS 1.3, the up-next secure connection
- Fixed an issue with TLS 1.3 not supporting renegotiation by
- Relaxed some restrictions for CSP to temporarily work
around web compatibility issues with the CSP-3 deprecated `child-src`
- Updated NSS to 18.104.22.168-PM to address some security issues.
- Updated the installer selfextractor module to address
unsafe loading of libraries.
- Changed the way certain resources are included to reduce
effectiveness of some common fingerprinting techniques. (e.g.
- Fixed a regression in the display of security information
in the page info dialog for insecure content.
- Fixed two potential issues with allocating memory for
- Fixed a potential issue with the network prediction
- Restricted the use of Aspirational scripts in IDNs to
prevent domain spoofing, in anticipation of the UAX#31 update making
- Prevented a Mac font specific issue that could be abused
for domain spoofing (CVE-2017-7763)
- Fixed several potentially exploitable crashes.
(CVE-2017-7751) (CVE-2017-7757) and some that do not have a CVE
Release notes for previous versions (unsupported)
You can find the release notes for previous releases of Pale Moon on
the Archived Versions Release