Pale Moon: Release notes
27.0.3 (2016-12-16)This is a bugfix and security update.
Security-related and crash fixes:
- Fixed certain network errors not displaying.
- Fixed network error page styling.
- Fixed the writing of DOM storage data to tabs (should solve
the "tabs not loading their contents" issue when migrating a profile
and some other situations).
- Disabled downloadable font unicode-ranges on non-Windows platforms.
- Added a Google Fonts user-agent override for non-Windows
platforms so they don't send unicode-ranged composite fonts (Feature
detection? Google apparently still doesn't know what that is).
- Re-enabled the reporting of CSS errors to the console by
default to prevent issues with some extensions who rely on this (e.g.
- Fixed and updated preferences for location bar suggestions.
- Fixed several x64-specific issues in memory allocation code (regression fix).
- Fixed timer issues when resuming a computer from stand-by (regression fix).
- Fixed a number of branding and textual issues in the browser.
- Fixed prompting for the saving of off-line data (previously always allowed without prompting).
- Fixed a layout regression that would cause block elements
following left floats to not wrap to the next line if there wasn't
- Fixed a mismatch in Firefox extension compatibility-mode
installation where Firefox extensions served by addons.mozilla.org
would be marked incompatible when trying to install.
DiD This means that the fix is "Defense-in-Depth": It is a fix that does not
apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by
the same code when surrounding code changes, exposing the problem.
- Fixed use-after-free while manipulating DOM events and removing audio elements (CVE-2016-9899).
- Fixed CSP bypass using the marquee tag (CVE-2016-9895).
- Fixed a vulnerability in the internal Jetpack modules (CVE-2016-9903). DiD
- Fixed use-after-free in Editor while manipulating DOM subtrees (CVE-2016-9898).
- Fixed an error in the buffer logic in http-chunked decoder.
- Fixed a crash in generational GC code (not in use by default) DiD
- Fixed a compartment mismatch bug in plug-in code
- Fixed a crash trying to get a nonexistent property.
- Improved MediaRecorder's observer safety.
- Fixed a crash related to document history.
This is a minor update to address usability and security issues:
- Enabled Firefox Compatibility mode by default for the useragent string.
too many websites (and especially the big players who should know
better like Google, Apple and Microsoft) still require the "we must pretend to
be Firefox if we want this site to work" status quo to be
maintained, because people still insist on using useragent sniffing to
determine "browser features", or even worse, discriminate against free
choice of browser by flat-out refusing service (I'm looking at you,
banking industry and cloud services!) when visiting websites just because companies don't
want to provide assistance to any but users on the main 3.
HTML offers plenty of ways to do proper feature detection; site owners should use them.
Seriously people, it was a bad idea 20 years ago, and it's a worse idea in 2016.
- The built-in devtools are back, and with a facelift!
Thanks to some consistent community help, the built-in devtools, sorely
missed by a number of our users, are back. They've received a code and
style update and should be fully functional on the new platform. This
was originally planned for 27.1, but it was decided to include this as
soon as possible, not in the least to assist extension developers in
their efforts to adapt to Pale Moon 27.
- Security fix:
Fixed a crash in SVG, related to CVE-2016-9079, as a defense-in-depth measure.
This is a bugfix release for some of the issues that popped up with the new milestone.
- Fixed removal of distribution/bundles/ copies of status bar code and ruby annotations code.
This should clean up everything on install/upgrade that currently causes double code to create intermittent/odd behavior.
- Backed out some media back-end changes to fix MSE playback on Twitch.tv and other similar sites.
- Disabled pop-up network status in full screen by default (since video detection is rather iffy at the moment).
- Fixed a regression causing the "reset profile" button to not appear in about:support on the default profile.
- Worked around bad Netflix interface changes - it will now use a more compatible web UI.
Please note that these Netflix changes were unrelated to the actual release of Pale Moon (26.5 is also affected).
- Aligned base status bar colors with default prefs.
- Fixed status bar options not being remembered.
an override for Amazon Prime videos so they won't stop us at the front
door any longer when not using the Firefox Compatibility user agent
- Re-applied proper branding text to in-app licensing.
After about 8 months of development, we now have a new milestone
release with literally too many changes to list even concisely. These
release notes will therefore only highlight the most important parts of
In this release we've done a full upgrade of our back-end platform,
meaning many things work different "under the hood" and you may run
into a number of extension compatibility issues as a result.
New and updated features:
- Support for DirectX 11 and Direct2d 1.1 on Windows. This
will bring Pale Moon more in line with the capabilities for current-day
operating systems and graphics hardware.
- Update of the Goanna engine to 3.0 - with many changes to layout and rendering for the modern web.
- Pale Moon now fully supports HTTP/2.
- Ruby Annotations are now an integral part of the HTML parser, controllable with CSS.
- Media Source Extensions have been implemented to solve many video playback issues.
This can be enabled/disabled and configured in Options. It's
recommended at this time to not enable MSE for WebM since there are a
few issues with it on services like YouTube (e.g. losing audio when looping/skipping).
- Support for reading and playing so-called "fragmented" MP4 files has been added, further solving media playback issues.
- Support for SSL/TLS connections to proxy servers.
- Support for the WOFF2 font format for downloadable fonts.
many landmark ECMAScript6 features (chief among them promises and
generators). This will solve many of the web compatibility issues that
people have started to run into in the past few months (e.g. webmail
interfaces, some sites coming up blank because they are
- The way web content is cached has been changed to be more
efficient. If you want to immediately take advantage of this, clear
- Removed support for Windows XP. If you are still running Windows XP, then your only option is to continue using Pale Moon 26.
- Removed the internal PDF (pre)viewer. This module was not
maintained, was unable to display even half of the PDF documents
correctly, and could not reasonably remain included in the browser.
Please use a separate reader and/or install a PDF reader plugin.
- Disabled building of the devtools. They will not be
included in release versions of Pale Moon from this point forward. If
you are a web developer or otherwise need those tools, fear not! They
are available as a browser extension.
- Removed the active XSS filter. This feature, although
effective, was prone to some instability and needs to be rewritten for
the update of our platform. It may or may not return in the future,
depending on whether the original author has time to rewrite parts of
this filter implementation.
- Removed support for Add-on SDK extensions (JetPack
extensions), considering the Mozilla/Gecko SDK is no longer compatible
with our combination of application and platform code.
Other important notes:
- All relevant security fixes up to and including Firefox 50
have been ported across from Mozilla to continue to provide an as
secure as possible browser.
- Several libraries have been updated to their latest versions to pick up any important vulnerability fixes.
- There's a new option and control to determine whether to
save zone information (marking files as "downloaded from the Internet")
on downloaded files (Windows+NTFS). You can find this in Options.
first upgrading your browser to v27, your profile will be migrated to
the new format for the browser. This is a one-time conversion and
unfortunately this migration can cause some issues. Please see the forum FAQ for more details.
- Pale Moon 27 will initially only be available in English.
We are working on getting localization done to have language packs
available over time.
Important: You can not use the previous language packs since
many strings have changed. Trying to do so will likely prevent the
browser from starting or functioning. Pale Moon will automatically
disable language packs for the previous version, but if you have
explicitly disabled add-on compatibility checking you may run into
- We will continue to fully support the following:
- NPAPI plugins
- Extensions with binary/XPCOM components
- XUL/Overlay and bootstrapped extensions
- Complete themes
- Unsigned and author-signed extensions
- The Camellia encryption cipher (also in GCM mode)
- Graphite font shaping
- Sync 1.1 (albeit without support for syncing add-ons)
- Full customization of the UI as before
Release notes for previous versions (unsupported)
You can find the release notes for previous releases of Pale Moon on the Archived Versions Release Notes page.