Pale Moon: Release notes
DiD This means that
a fix is "Defense-in-Depth": It is a fix that does not apply to a
(potentially) actively exploitable vulnerability in Pale Moon, but
prevents future vulnerabilities caused by the same code, e.g. when
surrounding code changes, exposing the problem, or when new attack
vectors are discovered.
Rejected security patches:
This means that patches were theoretically applicable to our code but
considered undesirable, which could be due to unwanted changes in
behavior, known regressions caused by the patches, or unnecessary risks
for stability, security or privacy.
This is a point release update to address a critical security
- Fixed a WebP decoder issue (CVE 2023-4863)
This is a major development update, further improving web compatibility
and fixing bugs.
- Implemented the
BigInt primitive type for
- Implemented Big(U)Int64 array support.
- Aligned the Performance API with the Timeline v2 spec.
- Aligned the handling of flex/grid percentages resolving
against the parent with other browsers. See implementation notes.
- Added or updated several user-agent overrides for
- Added 2 preferences to allow users to disable CSS
animations and transitions. See implementation notes.
- Improved compatibility with MacOS 14.
to garbage collection.
- Fixed several crashes.
- Fixed several debug build related issues.
- Fixed an issue building on SunOS related to the spelling
- Developer: Added ASan support for building with MSVC.
- Added the
.xll file extension to the
executable extensions list.
- Security issues addressed: several potential security
issues that do not have a CVE number. DiD
- UXP Mozilla security patch summary: 1 fixed, 3 DiD, 17
BigInt primitive (base number format) in
(whole numbers). This primitive is especially useful for specialized
scientific applications that need very large yet accurate numbers, but
has seen widespread adoption for an as of yet unknown reason as part of
web frameworks, causing general web compatibility issues for Pale Moon
when scripts expect BigInt support and instead have an error thrown. We
have now implemented this primitive for use so we no longer have
compatibility issues with these frameworks. It is still unknown why
BigInt is in use there and for what. Critical
BigInt might be tempting to consider for
JS-backed cryptography but this is very ill-advised, as BigInt
operations are, by their nature, not
constant-time and allow timing and side-channel attacks.
- Flex and grid item sizes in percentages would previously be
resolved against the parent like other elements, according to a very
long-standing practice that stems from the Internet Explorer days.
Mainstream browsers have, however, made an exception for flex items and
grid items to no longer do this. We have now made the same exception
for these types of elements which should solve layout issues on some
websites (notably reserving too much space for items, often resulting
in very large areas of whitespace or items being pushed out of view).
- Two preferences were added (
layout.css.transition.enabled) to allow users to
completely disable CSS-based animations and transition effects. This
was a request by users as both a performance and accessibility
consideration. Please note that in some cases, disabling animations and
transitions may have an impact on final web page layout, so you may run
into some issues when disabling these animations and transitions as the
web pages were designed to use them.
This is a small but important bugfix release to address important
regressions in 32.3.0.
- Fixed intermittent crashes related to the performance API.
chrome scripts (causing faults in the UI and extensions).
This is a major development update, further improving web compatibility.
- Added the (hidden) preference
to allow users to control how many history entries are listed in the
menu. Setting this to
0 will hide history menu entries
altogether, and any positive number configures how many entries the
entries are limited to. The default if not defined is
- Switched C++ language level used to C++14 on all platforms.
- Web compatibility and scripting improvements:
- Implemented geometry
constructors for web compatibility.
- Implemented partial support for CSS
- Implemented Array "find from last" feature (
- Implemented Object.hasOwn(object,property).
- Implemented several additional Intl API methods and
functions. This improves web compatibility with sites making use of
Intl as a
- Cleaned up some unused code.
- Removed support for Mozilla "experiment" type extensions.
should fix a few intermittent crashes and improve performance.
- Implemented some structural changes to the source to make
future porting easier, and preparing for switching to C++17.
- Removed handling of symlinks for directory listings to
prevent potential security issues by walking symlinks when uploading.
This effectively reverts a change made in Firefox 50 where this
functionality was introduced. A case of "Not such a good idea after
- Updated the list of extensions on Windows treated as
- Security issues addressed: CVE-2023-37208.
- Made preparations for requiring Authorization in CORS
Since no browser honors this part of the spec at the moment this is
left disabled until there is consensus among browsers.
- UXP Mozilla security patch summary: 2 fixed, 2 rejected, 20
This is a small bugfix and stability update.
There were no applicable Mozilla security bugs this time around.
- Fixed a crash in devtools in some OOM situations.
- Fixed crashes when internal script execution was blocked by
- Fixed crashes with WebComponents'
- Disabled incremental cycle collector by default to avoid
- Updated the default override for chase.com to work around
This is another important, major development update, continuing our
rapid development efforts in the v32 milestone.
With this version we should have restored web compatibility with the
majority of reported problematic websites. If you were previously
running into websites being problematic in Pale Moon, it may be a good
idea to try them again with this release.
Special thanks to Job Bautista, martok, dbsoft, FranklinDM and Travis
for continuing their hard work making this a reality!
This updates our UXP/Goanna platform version to 6.2.
- Implemented dynamic module imports. See implementation
- Implemented exporting of async functions in modules.
- Implemented logical assignment operators
- Implemented a solution for websites using the officially
window.event. This is disabled by
default but can be enabled through about:config's
preference. See implementation notes.
self.structuredClone() (this may
be very obscure to anyone except web developers. Apologies ;-) )
again primarily a web developer note.
- Improved Shadow DOM
- Implemented WebComponents' CSS
and related functionality.
- Improved page caching in our memory allocator.
- Added support for FFmpeg 6.0, especially important for
bleeding-edge Linux distros.
- Fixed a potential drawing deadlock for images, specifically
SVG. This solves a number of hang-on-shutdown scenarios.
- Fixed various crashes related to WebComponents and our
- Fixed various build-from-source issues on secondary target
- Fixed various small browser front-end scripting issues that
could lead to errors or broken functionality.
- Fixed handling of async (arrow) functions declared inside
properly create async wrappers.
- Updated the DOM Performance API to the current spec (User
See implementation notes, especially if you intend to use this in web
content for critical functionality.
- Updated keypress event handling to send keypress events on
- Updated window handling and styling on Mac.
- Updated the Freetype lib to 2.13.0.
- Updated the Harfbuzz lib to 7.1.0.
- Updated our DNS lookup calls to use
instead of the deprecated
- Updated the Fetch API to use the global's base URL instead
of the entry document's base URL for spec compliance.
- We no longer support the outmoded
on GTK systems.
- We no longer parse or return the body of known-empty
responses from servers (content-length of 0, or in case of HEAD or
- Implemented scaled font caching on GTK, improving
- Fixed a build issue when building for Linux on ARM64 on
- Split out more parts of the browser into separate .dll
files on Windows to reduce compiler strain and an oversized xul.dll
- Removed mozilla::AlignedStorage (code cleanup).
- Builds for FreeBSD now use xz for packaging instead of
bzip2. By request, we now also offer GTK2 builds for FreeBSD.
- Merged the preference
dom.webcomponents.enabled pref. See
- Fixed a potential DoS issue with JPEG decoding.
- Fixed a potential issue in Windows widget code that could
lead to crashes.
- Disabled potentially hazardous external protocols on
- Added known-problematic .dlls to the internal blocklist.
- Security issues addressed: CVE-2023-32209, CVE-2023-32214
and several others that do not have a CVE designation.
- UXP Mozilla security patch summary: 4 fixed, 1 rejected, 27
into web page content. One of the later introduced methods is a
function-style import() declaration, so-called "dynamic module imports"
that has been used by various web frameworks, causing issues for Pale
Moon resulting in blank pages in most cases (since the websites would
create content, all from imported modules). This has been a major web
compatibility issue lately and we're pleased to announce that this
complex bit of machinery has been implemented.
watered down from a prototyping language towards a more "C-like"
ECMAScript 6, and now further expanded in ES2022 with class fields and
private class fields/methods, as well as statics. We should have a
complete implementation of this now, which constitutes the more
important parts of the ES2022 language update.
- The use of the outdated Microsoft Internet Explorer global
has been a pervasive web compatibility issue for us, especially since
it was officially deprecated and we never implemented this ambiguous
and unreliable property that is highly-context sensitive. Websites
should use the event as passed into the event handler to get the event
source instead. However, since neither Chrome nor Firefox have dropped
this and seem to be playing a game of "chicken", it remains in use on
the web. To deal with this conflict, we have now implemented the
equivalent behind a preference to enable users to (temporarily) use the
window.event while webmasters update their
websites. We hope the Google camp will finally drop this one soon so we
can be done with this legacy quirk.
- The DOM Performance API was updated to the User Timing
level 3 spec. It should be critically noted that the DOM Performance
API was never designed to be used as a matter of course on published
content, and was designed only for page performance analysis use by web
designers. Of course, as part of making dev tools available to the web,
a lot of abuse ensued because of the accurate navigation and timing
measurements that this API can provide (looking at you, Google!).
Because of tight integration with web content analysis, the older spec
implementation we had was causing issues and actually breaking some
services, so we updated it, but with a few important key differences:
- In Pale Moon, we keep navigation timing disabled because
it's a notable privacy issue for the data it can gather (exact
navigational events and timings). If you're a web dev and need these
timing measurements, you can enable them with
- Our implementation, contrary to the spec, does not allow
unlimited recording of performance events (effectively logging every
page event!) which can also rapidly eat up memory. Instead we enforce a
sane default quota that should be roomy enough for all legitimate use,
but prevents runaway resource use or extensive logging of user actions.
- If the set quota is reached, a warning will be printed in
the console and the recorded performance events will be thrown away. If
you (foolishly) rely on Performance API events for your web application
to function, be aware this may cause compatibility issues as the API
was, again, not designed to be used in such a fashion. For event
handling, there are much better alternatives available which do not
involve extensive recording of user data or relying on a developer tool
- We've historically implemented the DOM
as it was being used in the wild as a standalone function, however its
main intent has always been to be a helper function part of Shadow
DOM/WebComponents. As such we have now merged the preference into the
WebComponents preference, enabling and disabling it along with the rest
of our WebComponents implementation.
This is a bugfix and security release.
- Fixed a crash in CompareDocumentPosition with Shadow DOM.
- Fixed a crash with display:contents styling.
- Added a preference to disable the TLS 1.3 protocol
downgrade sentinel (see implementation notes).
- Changed the way large clipboard copy/paste operations are
handled, improving privacy (see implementation notes).
- Improved filename safety when saving files to prevent
potential environment leaks (bis).
- Improved sanity checks of MIME type headers.
- Security issues addressed: CVE-2023-29545 and
- UXP Mozilla security patch summary: 2 fixed, 1 rejected, 49
- Some proxies and middleware boxes improperly handle the TLS
1.3 protocol handshake causing an insecure downgrade to TLS 1.2. With
our recent update of NSS, Pale Moon no longer allows this kind of
protocol downgrade when trying to establish a TLS 1.3 connection to a
server. The resulting error is ssl_error_rx_malformed_server_hello with
an inability to connect to the server. To enable users to still connect
to the servers or devices in question, we've added an option to switch
off the downgrade sentinel. To switch it off as a temporary workaround,
set security.tls.hello_downgrade_check to false.
- If copy and paste operations to/from the browser are
performed, Pale Moon writes clipboard contents to disk in a temporary
cache file if the copy/paste amount is particularly large, to avoid
using large amounts of memory to hold this data. The average
paste/clipboard size doesn't tend to hit this limit in which case it is
just held in memory.
Previously, these cache files, while in the O.S. temporary file
location (%TEMP% or /tmp), would not be consistently cleaned up,
potentially causing privacy issues if persisted. This was changed to
using auto-cleaning anonymous temp files, improving user privacy and
relying less on the O.S. or user performing cleanup of temporary file
storage. Thanks to Sandra for pointing this out and providing the patch.
This is another major update with important compatibility improvements
for the web. Most notably, our implementation of Google WebComponents
is now at a state where we enabled them by default.
Additionally, our Mac builds (for both Intel and ARM Macs) are no
longer in beta and considered stable. Signed/notarized builds with the
regular branding are available from the download page!
Huge thanks to FranklinDM for his work this cycle getting us to this
point. Of course major thanks to everyone who has contributed to this
complex and difficult WebComponents task over a long time!
Thanks also to Martok and Job Bautista for continuing to work on and
- Shadow DOM and CustomElements, collectively making up
WebComponents, have been enabled by default which should bring much
broader web compatibility to the browser for many a site that uses web
2.0+ frameworks. See implementation notes.
- Tab titles in the browser now fade if they are too long
instead of using ellipses, to provide a little more readable space to
page titles. Note that this may require some updates to tab extensions
- A number of site-specific overrides have been updated or
removed because they are no longer necessary or current with the
platform developments in terms of web compatibility. We could use your
help evaluating the ones that are still there; see the issue
on our repo.
- Updated our promises and async function implementation to
the current spec.
- Fixed several crashes related to regular expression code.
- Improved regular expression object handling so it can be
properly garbage collected.
- Fixed some VP8 video playback.
- Fixed an issue where the caret (text cursor) would
sometimes not be properly visible.
- Updated the embedded emoji font.
- Implemented the
- Implemented complex selectors for the
- Implemented the
inset CSS shorthand property.
- Implemented the
env() environment variable
CSS function. See implementation notes.
- Implemented handling for RGB encoded video playback
(instead of just YUV).
- Implemented handling for full-range videos (0-255 luminance
levels) giving better video playback quality.
- Removed the WebP image decoder pref. See implementation
- Enabled the Web text-to-speech API by default (only
supported on some operating systems).
- Updated NSPR to 4.35 and NSS to 3.79.4
- Cleaned up unused "tracking protection" plumbing. See
- Cleaned up URI Classifier plumbing (Google SafeBrowsing
- Fixed several intermittent and difficult-to-trace crashes.
- Improved content type security of
- Fixed potential crash scenarios in the graphics subsystem. DiD
- Improved filename safety when saving files to prevent
potential environment leaks.
- Security issues addressed: CVE-2023-25751, CVE-2023-28163
and several others that do not have a CVE.
- UXP Mozilla security patch summary: 1 fixed, 4 DiD, 14 not
- Google WebComponents has been long-running major feature
work in UXP. We're finally at a level with this (after several setbacks
and brick-walling) that it can be enabled by default. Please note that
while this greatly improves web compatibility with many Chrome-focused
websites using these controversial technologies, our implementation is
not yet complete and more work is necessary. As a result, this change
to enable it by default may actually break some previously-working
websites as well, but it's expected the majority will work at our
current state of implementation. Please visit the forum if you need
help with web compatibility issues.
env() CSS function was implemented for
compatibility with websites that rely on this without fallback. Note
that this function actually has no real use for desktops as it is
primarily used to indicate environmental restrictions of mobile
screens, e.g. extra space needed to avoid a camera notch or folding
screen margin. However, due to the way certain sites implement their
styling in a mobile-first approach, it is assumed that this function is
available on all systems and in all browsers by these sites. Note that
Pale Moon simply hard-codes queried values here.
- WebP images have had a stable and complete implementation
in Pale Moon for a long time now, so the preference to disable support
for it has been removed, as it's considered by now to be one of the
"staple" image formats supported by web browsers. This was done to
reduce complexity for content negotiation, especially since we're
adding more support for JPEG-XL that still isn't as-complete. From here
on out, we simply always support WebP decoding.
- While we've had a preference for "tracking protection" in
our browser implementation (in about:config), this marketed feature of
Firefox was never adopted by us, because it is for the most part a
service-based feature, and the non-service parts were undesirable as
they were crippling useful APIs. Our effective protection against
tracking has not changed, we have simply removed the preference
and plumbing for a non-functional service feature that would
potentially give the false impression it would do anything.
As a reminder, if you are concerned about tracking, use a competent
adblocker extension, and enable "Tell sites not to share or sell my
data" in Preferences -> Privacy under "Data Privacy". You may also
want to enable "canvas poisoning" by setting
true in about:config to reduce the risk of
fingerprinting through canvases.
This is a bugfix and security update.
- Fixed a crash in the new regular expression code.
property escape to regular expressions.
- Fixed a regression in regular expressions for literal
parsing of invalid ranges.
- Updated NSS to pick up fixes.
- Security issues addressed: CVE-2023-25733 DiD, CVE-2023-25739 DiD and CVE-2023-0767.
- UXP Mozilla security patch summary: 1 fixed, 2 DiD, 14 not
This is a new milestone release.
Primary focus for this milestone is web compatibility, in particular
Regular Expression extensions, standards compliance issues and further
This milestone now offers full coverage of the ECMAScript 2016-2020
Special thanks to Martok, Job Bautista and FranklinDM without whom this
milestone would not have been possible, and to dbsoft for putting in
the effort to work on Mac and FreeBSD builds.
Most important changes:
- Implemented Regular Expression named capture groups.
- Implemented Regular Expression unicode property escapes.
- Re-implemented Regular Expression lookaround/lookbehind
(without crashing this time ;) ).
- Implemented progressive decoding for JPEG-XL.
- Implemented animation for JPEG-XL.
- Implemented a compatibility mode for
elements. See implementation notes.
- Renamed CSS
offset-* properties to
to align with the latest spec and the web.
- Fixed CSS inheritance and padding issues in some cases.
- Aligned parsing of incorrectly duplicated HSTS headers with
expected behavior (discard all but the first one).
- Implemented a method to avoid memory exhaustion in case of
(very) large resolution animated images.
- Updated the JPEG-XL and Highway libraries to a recent,
- Cleaned up some unused CSS prefixing code.
- Improved the ability to link on *nix operating systems with
other linkers than gcc's default.
- Stability improvements (potential crash fixes).
- Security issues addressed: CVE-2023-23598, CVE-2023-23599
and several others that do not have a CVE number.
- UXP Mozilla security patch summary: 4 fixed, 2 DiD, 19 not
- We're working on finalizing official builds for Mac OS and
FreeBSD. These are currently in beta and can be downloaded from the Contributed Builds page. Please
note that you may run into some system compatibility issues with these
builds. If you do, please go to the forum and
report it in the appropriate board!
- To provide users with a temporary work-around for
non-compliant websites, a compatibility mode for
elements was implemented, which will treat
elements as generic containers instead of actual form button elements.
This has been necessary because Chrome is not standards compliant in
this respect and website developers regularly make the mistake of
trying to use active content on button faces and expecting pointer
events to end up being sent to the active content and not the button
(which is not
what the standard prescribes! See "content model" on the standards
page stating there "must be no interactive content descendant").
Webmasters should be alerted to this compliance issue, but it can
(temporarily) be worked around in the browser from this point for
forward by setting the preference
false and restarting the browser. Note that this is a
workaround and the only actual solution is advocacy for the standard
and more browsers becoming standards compliant.
You can find the release notes for previous
releases of Pale Moon on
the Archived Release