Pale Moon: Release notes

v28.13.0 (2020-09-04)

• Updated the included site-specific user-agent overrides for a number of websites that need them.
• Rewritten the browser's padlock code to use more modern APIs and provide more accurate security status indication.
  Now also with localized tooltips!
  
• Fixed a missing close button on the undo prompt after removing a thumbnail from the QuickDial new tab page.
  
• Fixed an issue with the alternative stylesheet menu in the browser's UI not working.
• Implemented the use of intrinsic aspect ratios for images to improve layout during load and page positioning.
• Added a preference to the use of node.getRootNode and disabled by default. See implementation notes.
  
• Added CSS -webkit-appearance as an alias for -moz-appearance to improve compatibility with websites that only try to use Chrome-specific keywords to style standard form elements.
• Updated the SQLite library to 3.33.0.
• Reinstated precise floating point precision model in JavaScript for those alternate builders who foolishly try to use the inaccurate "fast" model.
• Improved spec compliance of modular JavaScript use (ECMAScript modules).
• Changed media errors to be a more generic response, and added a preference (media.sourceErrorDetails.enabled) to enable detailed error reporting of media errors for debugging purposes.
  Previously, detailed errors were provided by default which could lead to privacy issues.
• Improved code stability of the AbortController implementation.
• Fixed a race condition in the secure connection library (NSS).
• Security issues fixed: CVE-2020-15664, CVE-2020-15666, CVE-2020-15667, CVE-2020-15668 and CVE-2020-15669.
• Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 1 defense-in-depth, 1 rejected, 9 not applicable.

• In 28.11.0 we introduced node.getRootNode because some websites would fail with an error if this function was not present. Unfortunately, this caused problems with other sites that (incorrectly) assume Google WebComponents are available when this utility function is present (feature detection gone wrong). While it is considered by some to be part of the Google WebComponents implementation, it actually has utility value outside of that use. Because of the problems caused, we've added a preference and disabled it by default, fixing these kinds of websites.
  When needed, you can re-enable this function with dom.getRootNode.enabled
  This should improve web compatibility by default yet still allow users to enable this function for websites that use its utility but do not use WebComponents.

v28.12.0 (2020-08-04)

• Added controls for WASM to the browser's preferences, and enabled by default.
• Enabled various arbitrarily-disabled CSS functions.
• Added the use of basic path descriptors (i.e. polygon) to css clip paths.
• Implemented multithreaded request signal handling for the Abort API. Please see implementation notes below.
• Updated the included US-English dictionary, adding approximately 2500 additional words.
• Removed the DOM battery API. This was already disabled for privacy reasons for a long while.
• Fixed an erroneous warning displayed on toolkit-only add-ons like supplied dictionaries.
• Fixed an issue with the sessionstore tab load preference.
  
• Improved the generation of the names of downloaded files to prevent confusion. (CVE-2020-15658)
  
• Fixed a code issue with base64 encoding of data.
• Fixed 2 safety hazards in JavaScript. (One being CVE-2020-15656) DiD
• Fixed a spec compliance issue with regards to the cross-origin loading of scripts. (CVE-2020-15652)
  
• Improved the loading of a system DLL on Windows, preventing low-risk hijacking potential. (CVE-2020-15657) See implementation notes.
• Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 2 defense-in-depth, 15 not applicable.

1. In 28.11.0, we introduced the Abort API as new code. The implementation of it still had an issue where especially web workers would not always see the availability of abort signals on fetch requests while AbortSignal was implemented in the browser. This effectively made some websites (especially those using a particular polyfill for the Abort API that would detect the need to polyfill by way of Request.signal) throw errors that were fine before. We offered users a workaround by temporarily disabling the AbortController in the browser by way of a preference (dom.abortController.enabled).
   v28.12.0 fixes the multi-threaded handling of signals, which should solve these problems. As such, the workaround is no longer needed and upon upgrade the preference will be reset to enable AbortControllers again.
2. DLL-hijacking on Windows would only be possible if a malicious actor already either gained administrative access to the program's installation folder or otherwise have unrestricted access to the program folder (by having it installed in local application folders inside the user's profile space or other insecure program locations). In that case the system is already compromised and any executable can be replaced, so having dll loading hijacked would be the least of your concerns (i.e. the main program .exe could also be replaced/infected in that case).
   

v28.11.0 (2020-07-14)

• Changed storage format for certificates and passwords to SQLite.
• Added a preference (browser.tabs.insertAllAfterCurrent) to enable always adding new tabs after the current tab, whether related or not.
  
• Changed the way Firefox extensions are displayed in the add-on manager (provide a clear warning).
• Denied other types of add-ons that aren't explicitly targeting Pale Moon's ID.
• Improved the browser's DPI-awareness to be per-monitor instead of system-wide, on supported Windows operating systems.
  
• Updated bookmark backups code with the other half of what should have been done way back when, so they work fully as-intended.
• Added a preference (browser.bookmarks.editDialog.showForNewBookmarks) to enable immediately showing the edit dialog for new bookmarks.
  If set to true, clicking the star in the address bar will pop open the edit dialog immediately for changing details/sorting.
• Fixed the useragent string in native mode, and updated UA code to properly respond to live changes to some preferences.
• Tidied up front-end browser JavaScript.
• Changed the way sources are compiled (on-going de-unification).
• Improved compatibility with gcc v10
• Removed support for the obsolete and unmaintained NVidia 3DVision stereoscopic interface.
• Fixed some build issues in non-standard configurations.
• Fixed wrong positions when calculating the position for position:absolute child inside a table.
• Aligned file name extension of saved url files with other applications (lower case)
• Fixed building with --disable-webspeech (to disable speech synthesis)
• Added global menubar support for GTK.
• Implemented node.getRootNode
• Implemented AbortController (Abort API)
• Improved the uninstaller to use elevation when prudent and actually remove program files.
• Fixed a rare issue with editable page content.
• Fixed a crash related to ES module scripts.
• Aligned ES module scripting better with the current spec and removed eager instantiation.
• Fixed a potential issue with the JPEG encoder. (CVE-2020-12422) DiD
• Fixed a potential issue with AppCache manifests. DiD
• Fixed a potential crash in JavaScript date parsing.
• Fixed a problem with RSA key generation that would make it potentially vulnerable to side-channel attacks. (CVE-2020-12402)
  
• Fixed a potential crash due to multithread race condition. DiD
• Fixed a correctness issue in URL handling. (CVE-2020-12418) DiD
  
• Unified XUL Platform Mozilla Security Patch Summary: 2 fixed, 4 defense-in-depth, 10 not applicable.

v28.10.0 (2020-06-05)

• Implemented URLSearchParams' sort() function
• Implemented ES2020 globalThis for web compatibility
  
• Improved our WebM media parser to be more tolerant to different encoding styles.
• Improved our MP3 media parser to be more tolerant to different encoding styles and particularly tiny files/stream chunks.
• Improved performance of table drawing for more corner cases
• Changed the way images without a src are handled in page layouts to align with the Chrome-pushed spec.
  
• Added modern MIPS support
• Split out the ICU data file from xul.dll on Windows
• Fixed a regression in WebAudio channel handling due to a landed security fix.
• Fixed a regression preventing scripting from properly disabling input controls
• Fixed an issue with border radius sometimes not being honored in tables
• Fixed some build issues in non-standard configurations.
• Removed more telemetry code
  
• Removed the in-browser speech recognition engine and API
• Removed support for the obsolete and unmaintained NVidia 3DVision stereoscopic interface.
• Changed handling of braille blanks in the ui (CVE-2020-12409) DiD
• Mitigated a potential timing attack against DSA keys in NSS (CVE-2020-12399)
• Unified XUL Platform Mozilla Security Patch Summary: 1 fixed, 1 defense-in-depth, 8 not applicable.

v28.9.3 (2020-05-08)

• Fixed a potential vulnerability in the zip file reader. DiD
• Fixed a potential vulnerability in the JavaScript JIT compiler related to aliases. DiD
• Ported several upstream devtools fixes (addresses CVE-2020-12392 and CVE-2020-12393).
• Improved memory safety of some WebAudio calls.
• Improved memory safety in the XUL window destructor. DiD
  
• Unified XUL Platform Mozilla Security Patch Summary: 3 fixed, 3 defense-in-depth, 16 not applicable.
  

v28.9.2 (2020-04-30)

• Re-based the 28.9 version of browsers on a separate development branch that excludes the extensive work being done for Google WebComponents, to avoid potential performance and stability issues caused by as-of-yet incomplete and in-progress code for the new milestone.
• Enabled DOM High Resolution timestamps for compatibility with websites that strictly rely on them for operation.
  
• Added a preference to allow copying the unescaped URL from the address bar (especially useful for internationalized domain names and paths).
  To enable this, set browser.urlbar.decodeURLsOnCopy to true in about:config
• Fixed several application crashes (thanks, Fysac!)
  

v28.9.1 (2020-04-10)

• Re-imported the ExtensionStorage js module for use by browser extensions.
• Fixed an issue with the WebRequest module having erroneously un-processed build directives in it. This might have caused some subtle breakage.
• Removed the use of high-resolution Windows system timers from the layout refresh driver; this should help with some performance and battery life issues.
• Fixed an issue where various parts of hardware acceleration weren't properly linked when changing the option from preferences.
  If you have changed the preferences option to "use hardware acceleration when available" between 28.9.0 and this release, it is recommended that you go into preferences and toggle the option off/on to the preferred setting to correct any discrepancies.
  
• Fixed an issue with building the user-agent string using the build date as ID.
• Fixed an issue with the release of document content viewers (CVE-2020-6819). DiD
• Fixed an issue with handling functions with rest parameters. DiD
• Unified XUL Platform Mozilla Security Patch Summary: 2 defense-in-depth, 14 not applicable.
  

v28.9.0.2 (2020-03-25)

• Fixed an issue with browser migration and initialization code causing various browser run-time problems.
• Fixed an issue with cache behavior where some users would have trouble having their windows and tabs restored in "soft refresh" mode (see v28.9.0 release notes).
  To solve this, we reverted to the previous (pull from cache) mode for now while we investigate the cause.
  

v28.9.0.1 (2020-03-25)

v28.9.0 (2020-03-24)

• Implemented asynchronous iterators (await iterator.next() and for await loops) (ES2018)
• Implemented promise-based media playback.
• Implemented non-standard legacy CSSStyleSheet rules functions.
• Implemented the html5 <dialog> element. To switch this on, flip dom.dialog_element.enabled to true.
• Implemented the optional hiding of pinned tabs in CtrlTab/AllTab panes. (controlled through the preferences browser.ctrlTab.hidePinnedTabs and browser.allTabs.hidePinnedTabs)
• Added 1.25x playback speed to html media elements.
• Added a hidden pref (browser.places.smartBookmarks.max) to control the sizes of default smart bookmarks categories.

• Aligned document.open() with the overhauled specification.
• Aligned the way DOM styles are computed with mainstream browser behavior.
• Removed the (unused) DOM promise implementation.
• Enabled seeking to next frame in media files.
• Enabled dynamic UA updates for emergency use.
• Implemented rule processing stub for font-variation-settings.
• Increased the maximum XML nesting depth to 2048 levels for extreme corner cases and to conservatively align with other browsers.
• Improved the privacy of geolocation lookup calls, with thanks to a generous service donation from ip-api.com
  
• Improved reporting of the operating system in site-specific user-agent overrides.
• Improved table drawing performance again after the rewrite for sticky positioning making it slower.
  
• Updated CSP processing to allow custom scheme wildcards to be specified without a port.
• Aligned the behavior of outlines with other browsers when dealing with CSS-repositioned elements.
• Changed the way hardware acceleration is controlled from the application.
• Changed the default monospace font for main languages from Courier New to Consolas.
  This provides a more balanced font for fixed-width text that is slightly more condensed and more in line with the naturally compacter variable-width fonts used everywhere else.
• Changed the browser's behavior when restoring tabs from previous sessions. To prevent stale pages, it will now by default perform a "soft refresh" of the page instead of drawing it purely from cache without checking if the page needs updating. If you prefer the old behavior, set browser.sessionstore.cache_behavior to 0 in about:config.
  
• Updated NSPR to 4.24 and NSS to ~3.48.1-RTM, removing the previous custom patch level with NSS being able to support custom rounds for DBM now.
  For extensive release notes with all NSS changes, see NSS_Releases
• Implemented an NSS performance optimization for Master Password use with limited effect.
• Fixed some potential crashing scenarios with WebGL on Linux.
• Completely removed showModalDialog.
• Disabled some logging in production builds.
• Removed various gadgeteering/redundant/dead DOM APIs (casting/presentation, FlyWeb)
• Removed support for a number of critical libraries being system-supplied.
• Removed "Copy raw data" button from the troubleshooting information page, since it's never used by us in that format, and users mistakenly keep using it instead of copying text.
• Removed a bunch of Android and iOS support code.
• Fixed an issue with form elements sometimes being incorrectly disabled.
• Fixed several crashes.
• Fixed an issue with Captive Portal detection sometimes firing even when disabled by the user.
• Performed various tree-wide code cleanups.
• Backed out a large code cleanup patch for causing subtle issues in website operation (e.g. WordPress). This will have to be revisited later; the reintroduced code is not in use in practice.
• Cleaned up the application updater code.

• Fixed a potential pointer issue in cubeb. DiD
• Disabled allowing remote jar: URIs by default for security reasons. If you need this functionality for your non-standard environment, you can enable it with the preference network.jar.block-remote-files, but please consider moving away from this method of providing web-based applications.
• Removed a potentially dangerous and otherwise ineffective optimization from the JavaScript engine.
• Fixed unwanted behavior where created/focused pop-up windows could potentially cover the DOM fullscreen notification, hiding it from users. (CVE-2020-6810)
• Fixed an issue where copying data as a curl request from developer tools would not properly escape parameters. (CVE-2020-6811)
  
• Updated our sctp library code with several upstream fixes.
• Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 3 already mitigated, 1 rejected, 11 not applicable.
  

v28.8.4 (2020-03-01)

• Implemented optional catch binding (ES2019).
• Fixed a hazardous crash related to module scripting (CVE-2020-9545).
  

v28.8.3 (2020-02-18)

• Fixed an issue in CSP blocking requests without a port for custom schemes.
• Fixed a potentially hazardous crash in layers.
• Fixed random crashes on some sites using IndexedDB.
• Changed the way the application can be invoked from the command-line to prevent a whole class of potential exploits involving modified omnijars.
  If your special-needs environment requires that you launch the browser with custom browser/gre omnijars from the command-line, you must set the UXP_CUSTOM_OMNI environment variable before launch from this point forward.
• Fixed an issue in the html parser after using HTML5 template tags, allowing JavaScript parsing and execution when it should not be allowed, risking XSS vulnerabilities on sites relying on correct operation of the browser. (CVE-2020-6798)
• Unified XUL Platform Mozilla Security Patch Summary: 2 fixed, 2 DiD, 10 not applicable.

v28.8.2.1 (2020-02-04)

v28.8.2 (2020-01-28)

• Reverted the addition of JavaScript regular expression lookarounds since the implementation caused crashes. We'll have to revisit this later.
• Fixed an issue where FTP servers would hang the browser if they were not sending answers according to the protocol specification.
• Added a workaround for GitHub trying to enforce more Google-isms (which we don't support at this time) to browsers that identify as "Firefox-alike".
  

v28.8.1 (2020-01-11)

• Fixed a sampling issue in libsoundtouch (DiD)
• Fixed an issue with a new upcoming Windows 10 feature not honoring Private Browsing mode by default (DiD)
• Fixed several stability and memory safety hazards. (DiD)
  
• Fixed an issue where files could inadvertently be executed with the designated file type handler instead of opened. (CVE-2019-17019)
• Fixed an issue with the JavaScript JIT compiler that could lead to exploitable crashes. (CVE-2019-17026) actively exploited
• Unified XUL Platform Mozilla Security Patch Summary: 2 fixed, 7 DiD, 12 not applicable.
  

v28.8.0 (2019-12-10)

• Added support for modern Solaris operating systems like Illumos (thanks Athenian200!).
• Implemented position:sticky for table parts - You can now use CSS to e.g. stick table headers so they don't scroll off the screen!
• Enabled basic implementation of module type scripting. While not fully spec compliant (yet), this will fix the few web compatibility issues with sites that rely on this feature without fallback (e.g. the Chromium bugtracker).
  
• Implemented Promise.prototype.finally() (ES2018).
• Implemented Regular Expression lookbehind (ES2018).
• Implemented Regular Expression /s flag (dotAll support) (ES2018).
• Implemented String.prototype.matchAll (regex) (ES2020).
  
• Added Ekoru to the list of default search engines. This is a Bing-backed search engine that donates the majority of its revenue to various charities that support the planet and animals. An environment-supporting alternative to Ecosia if you don't want to support Google in the process.

• Changed the way tables are rendered to fix a number of spec compliance issues and allow relative positioning of table parts.
• Now building against the Windows 10 SDK 10.0.17763.132 for increased compatibility with Windows 10 and improved Spectre mitigation.
• Removed the unused DiskSpaceWatcher component.
• Updated cairo code.
• Updated SQLite to 3.30.1.
• Updated the Brotli library to 1.0.7.
• Updated the woff2 library to 1.0.2.
• Updated the OpenType Sanitizer to 8.0.0.
• Updated the Javascript math library for precision and performance fixes.
• Updated the embedded Emoji font to Mozilla's COLR-mapped twemoji 0.5.0 (Twemoji 12.1.3), to support Emoji 12.
• Improved CSS grid rendering.
• Changed packaging for archives to use 7z/xz instead of zip/bz2.
• Made the second argument of (DOM/CSS) insertRule() optional for (Chrome) web compatibility.
• Removed the non-standard object.prototype.watch()/unwatch() functions. Please note that this may affect some extensions; those will need to be updated to no longer use these non-standard functions.
  
• Fixed the status bar module to work around an issue with relying on watch()/unwatch().
  
• Fixed a build failure in the libcubeb sndio module.
• Fixed a small oversight in the release branch that would potentially still mark "jnlp" (Java Web Start) files as executable.
  
• Fixed the certificate retrieval logic in the certificate exception dialog.
• Fixed an issue with add-ons potentially getting confused during add-on updates due to cached scripts.
• Fixed a crash due to unnecessary reparenting calls in layout.
• Reinstated the mentioning of the number of accelerated/total windows in Troubleshooting Information, for completeness.
• Moved the embedded font for Emoji from application to platform so all UXP applications can easily benefit from it (thanks Tobin!).
  
• Cleaned up the jemalloc code: Removed dead/unused code, removed conditionals around "always on" code, and made the allocator VLA-free.

• Removed the silent fallback to insecure install locations on Windows.
  Pale Moon will no longer by default install into unprotected program locations (this was a regression in v28).
  If your operating system account does not have the necessary privileges, you need to manually select an accessible folder to install into. This is important to prevent malware from modifying installed programs in well-known but otherwise unprotected installation locations.
  
• Added a preference for, and disabled, the confirmation prompt for URL authentication (prevents evil traps).
• Disabled the use of HPKP by default due to the inherent risks involved with this feature. A preference was added to completely disable header processing, and using preloaded pins is effectively disabled. Please note that this is automatically disabled by default for everyone, regardless of your previous setting for this feature, and it is strongly recommended you keep this feature disabled. HPKP will eventually be removed (overall Internet concensus).
• Fixed a potential issue when interacting with plugins. (DiD)
• Fixed a potential crash scenario when reading PAC configuration. (DiD)
• Fixed a potential issue with text selection painting. (DiD)
• Fixed an issue with element references not being properly updated. (DiD)
  
• Fixed an issue with incorrect saving of web pages as text. (DiD)
  
• Fixed a potential issue with clipboard handling. (DiD)
• Fixed a potential issue with attaching the debugger to web workers. (DiD)
• Updated NSS to 3.41.4 to address CVE-2019-11756 and CVE-2019-11745.
• Unified XUL Platform Mozilla Security Patch Summary: 2 fixed, 8 DiD, 16 not applicable.
  

v28.7.2 (2019-10-29)

• Disabled the use of ICC color profiles for images on Linux by default.
• Updated timezone data for internationalization functions.
• Fixed the option to use hardware acceleration over RDP for Windows 8.1 and 10.
• Fixed an issue with inner window navigation potentially leaking.
• Fixed a startup crash caused by Qihoo 360 Safeguard/360 Total Security.
• Ported some expat parser fixes from upstream.
• Ported several NSS upstream fixes to our build.
  
• Aligned handling of U+0000 in the html5 parser with expectations.
• Added size checks to WebGL data buffering.
• Fixed build issues with newer glibc versions.
• Fixed build issues for ARM targets.
• Worked around a gcc9 compiler issue that would prevent building with it.
• Sec bug fixes: CVE-2019-15903, CVE-2019-11757, CVE-2019-11763 and several potentially exploitable crashes and memory safety hazards that don't have a CVE number.
• Unified XUL Platform Mozilla Security Patch Summary: 6 fixed, 6 DiD, 1 rejected, 24 not applicable.
  

v28.7.1 (2019-09-12)

• Fixed an issue where saving a webpage to disk would sometimes drop tags from the document.
• Fixed an issue with click-to-play plugin content throwing up a blank notification.
• Fixed an issue in the renderer where region intersections would sometimes return the wrong result.
  This fixes a regression caused by the fix for CVE-2016-5252.
  
• Fixed security issues: CVE-2019-11744, CVE-2019-11752, CVE-2019-11737, CVE-2019-11746, CVE-2019-11750, CVE-2019-11747 and CVE-2019-11738.
• Unified XUL Platform Mozilla Security Patch Summary: 7 fixed, 1 DiD, 1 already covered, 22 not applicable.
  

v28.7.0 (2019-08-29)

• Landed a large JavaScript parser tune-up, which as a targeted goal brings our ES6 stringification fully in line with the ES2018 revision for classes, and implements rest/spread parameters for object literals. (Cheers to Luke!)
• Fixed a crash with the tuned-up parser code when certain error messages were triggered.
• Aligned browser behavior with mainstream regarding inner window behavior when domain is manipulated.
• Improved performance dealing with frame properties.
• Improved performance for handling html5 strings.
• Improved performance of image content loading.
• Fixed potential type confusion in array joins.
• Fixed an issue on some pages causing high CPU usage when wrongly specifying plugin content.
• Fixed an issue with the add-ons manager "discover" pane if no network connection is present.
  
• Fixed an issue with bookmark/history search results offering context menu options that would be invalid without a selection.
• Fixed the devtools JSON viewer and enabled it by default.
  
• Fixed searching from about:home not working for search plugins using the POST method.
• Fixed an issue with the checkboxes for location bar preferences.
• Fixed SVG alignment issues if SVG-containing elements fall on odd pixel sizes, causing blurry display of especially small SVGs like icons/glyphs.
  SVGs will now always be pixel-snapped to provide expected crisp display.
• Fixed precompilation of Sync client modules when packaging. This also removes the redundant services.sync.enabled pref.
• Added support for matroska containers and h264-based webm video formats.
• Added support for AAC audio in matroska and webm video formats.
• Added support for spaces in the Mac package and application name.
• Added an exception to the unique file origin policy for font types.
• Added native file picker support for xdg on Linux.
• Updated the default bookmark icons.
• Updated the SQLite lib to 3.29.0.
• Removed e10s information from about:troubleshooting.
• Removed hotfix leftovers.
• Removed the WebIDE developer tool.
  
• Removed conditional build-time disabling of the Pale Moon status bar code.
• Removed "Delete this page" and "Forget about this site" links from live bookmarks (since they make no sense on feeds).
• Removed the Financial Times' polyfill user-agent override since they updated their detection to work with Pale Moon.
  

Release notes for older versions than those listed here