Pale Moon: Release notes

v28.7.2 (2019-10-29)

• Disabled the use of ICC color profiles for images on Linux by default.
• Updated timezone data for internationalization functions.
• Fixed the option to use hardware acceleration over RDP for Windows 8.1 and 10.
• Fixed an issue with inner window navigation potentially leaking.
• Fixed a startup crash caused by Qihoo 360 Safeguard/360 Total Security.
• Ported some expat parser fixes from upstream.
• Ported several NSS upstream fixes to our build.
  
• Aligned handling of U+0000 in the html5 parser with expectations.
• Added size checks to WebGL data buffering.
• Fixed build issues with newer glibc versions.
• Fixed build issues for ARM targets.
• Worked around a gcc9 compiler issue that would prevent building with it.
• Sec bug fixes: CVE-2019-15903, CVE-2019-11757, CVE-2019-11763 and several potentially exploitable crashes and memory safety hazards that don't have a CVE number.
• Unified XUL Platform Mozilla Security Patch Summary: 6 fixed, 6 DiD, 1 rejected, 24 not applicable.
  

v28.7.1 (2019-09-12)

• Fixed an issue where saving a webpage to disk would sometimes drop tags from the document.
• Fixed an issue with click-to-play plugin content throwing up a blank notification.
• Fixed an issue in the renderer where region intersections would sometimes return the wrong result.
  This fixes a regression caused by the fix for CVE-2016-5252.
  
• Fixed security issues: CVE-2019-11744, CVE-2019-11752, CVE-2019-11737, CVE-2019-11746, CVE-2019-11750, CVE-2019-11747 and CVE-2019-11738.
• Unified XUL Platform Mozilla Security Patch Summary: 7 fixed, 1 DiD, 1 already covered, 22 not applicable.
  

v28.7.0 (2019-08-29)

• Landed a large JavaScript parser tune-up, which as a targeted goal brings our ES6 stringification fully in line with the ES2018 revision for classes, and implements rest/spread parameters for object literals. (Cheers to Luke!)
• Fixed a crash with the tuned-up parser code when certain error messages were triggered.
• Aligned browser behavior with mainstream regarding inner window behavior when domain is manipulated.
• Improved performance dealing with frame properties.
• Improved performance for handling html5 strings.
• Improved performance of image content loading.
• Fixed potential type confusion in array joins.
• Fixed an issue on some pages causing high CPU usage when wrongly specifying plugin content.
• Fixed an issue with the add-ons manager "discover" pane if no network connection is present.
  
• Fixed an issue with bookmark/history search results offering context menu options that would be invalid without a selection.
• Fixed the devtools JSON viewer and enabled it by default.
  
• Fixed searching from about:home not working for search plugins using the POST method.
• Fixed an issue with the checkboxes for location bar preferences.
• Fixed SVG alignment issues if SVG-containing elements fall on odd pixel sizes, causing blurry display of especially small SVGs like icons/glyphs.
  SVGs will now always be pixel-snapped to provide expected crisp display.
• Fixed precompilation of Sync client modules when packaging. This also removes the redundant services.sync.enabled pref.
• Added support for matroska containers and h264-based webm video formats.
• Added support for AAC audio in matroska and webm video formats.
• Added support for spaces in the Mac package and application name.
• Added an exception to the unique file origin policy for font types.
• Added native file picker support for xdg on Linux.
• Updated the default bookmark icons.
• Updated the SQLite lib to 3.29.0.
• Removed e10s information from about:troubleshooting.
• Removed hotfix leftovers.
• Removed the WebIDE developer tool.
  
• Removed conditional build-time disabling of the Pale Moon status bar code.
• Removed "Delete this page" and "Forget about this site" links from live bookmarks (since they make no sense on feeds).
• Removed the Financial Times' polyfill user-agent override since they updated their detection to work with Pale Moon.
  

v28.6.1 (2019-07-25)

• Improved handling of FTP resource loading (allow save-as and cater to some FTP-based browsing).
• Added a preference (security.block_ftp_subresources) to allow users to completely bypass the blocking of FTP subresources if required for their environment, if the improvements made in this release do not suffice.
• Added blocking of authentication-locked cross-origin image subresources by default to prevent spurious auth prompts.
  A preference (network.auth.subresource-http-img-XO-auth) was added to allow users to bypass this blocking if required for their environment.
• Changed the behavior of file: URIs to treat each URI as a unique origin. This prevents cross-file access from scripting.
  A preference (security.fileuri.unique_origin) was added to allow users to relax this restriction if required for their environment.
• Implemented a revised version of http2PushedStream to address some thread safety issues.
• Aligned browser behavior with mainstream regarding inner window behavior when domain is manipulated.
• Backed out a 28.5.* patch for causing multiple issues in the UI and web content.
• Updated NSS to 3.41.2 (custom) to pick up several upstream fixes.
  
• Fixed a type confusion issue in JavaScript Arrays. (DiD)
• Added a fix for cross-thread access of Necko. (DiD)
• Added a port safety check for Alternative Services.
• Implemented fixes for applicable security issues: CVE-2019-11719, CVE-2019-11711, CVE-2019-11715, CVE-2019-11717, CVE-2019-11714 (DiD), CVE-2019-11729 (DiD), CVE-2019-11727 (DiD), CVE-2019-11730 (DiD), CVE-2019-11713 (DiD) and several networking and memory-safety hazards that do not have CVE numbers.
  

v28.6.0.1 (2019-07-04)

• Updated the application icon to provide better visuals on Windows classic and other grey backgrounds.
• Reduced the Master Password hashing rounds to prevent issues with stored password retrieval while still sufficiently strengthening the encryption.
  If you have previously re-keyed the database after the update to 28.6.0, you should do so again by going through the change master password process to reduce access times.
• Updated the WhatsApp Web site-specific user-agent override to respond to Google refusing access based on the old string.
• Updated the branding for the portable launcher.
  

v28.6.0 (2019-07-02)

• Implemented String.prototype.trimStart and String.prototype.trimEnd (ES2019)
• Implemented Array.prototype.flat and Array.prototype.flatMap (ES2019)
• Implemented Symbol.prototype.description (ES2019)
• Added support for gzip-compressed SVG-in-Opentype fonts.
• Updated official branding.
• Updated reader view components.
• Added a preference to control the setting of cookies through meta header information (non-standard feature) and disabled by default.
• Updated ES6 Atomics and re-enabled them.
• Updated internationalization code to support updated time zones and the Japanese Reiwa era.
• Updated NSS to a custom version to have better encryption strength for master passwords.
  IMPORTANT: To use this strong encryption and re-key the password database with it, change your master password (can be changed to the same one you already had if desired, but you have to go through the change password process). Depending on your computer and the number of stored passwords, this encryption update may take some time, so please be patient. Please be aware that once re-keyed, the password store will be locked to the new encryption and will no longer be accessible with the master password in older versions of Pale Moon.
• Restored "Release notes" in the help menu.
• Rearchitectured the application/extension update code.
• Added several performance improvements to DOM and the parser.
• Improved JavaScript garbage collection of dead compartments.
• Fixed a performance issue with painting on some pages.
• Improved performance of some websites with complex event regions.
• Fixed a potential performance issue in display lists on some pages.
• Fixed a rendering bottleneck for the use of XRender when using a remote session.
• Fixed graphical artifacts/flickering when using XRender on Intel or Intel-hybrid GPU setups.
• Added a DiD fix for potential future issues with inlining array natives.
• Fixed a potential UAF situation in the HTML5 parser (DiD)
• Fixed an origin-clean bypass issue.
• Changed the way permissions for predefined sites are loaded.
• Reverted the 28.5.1 change to treat *.jnlp files as executables (CVE-2019-11696) after input from an Oracle representative. Java Web Start files are not executable and should not be treated any different than regular documents handled by external applications.
• Removed SecurityUI telemetry.
• Removed some other dead telemetry code.
• Removed geo-specific selection of default search engines.
• Deprecated the use of FUEL.
• Removed the unused code for "enhanced tiles" in the new tab page.
• Removed preference to brute-force e10s to on.
• Removed Unboxed Array code.
• Removed Unboxed Object code.
• Fixed failure to print if a page contains a 0-sized <canvas> element.
• Fixed an issue with tab-modal dialogs being presented in the wrong order.
• Fixed an issue with the tab bar remaining collapsed in customize mode if normally hidden.
• Fixed an issue with Sync when choosing to overwrite data with synced data.
• Fixed an issue with tab previews on the taskbar.
• Fixed an issue with IntersectionObserver viewport accuracy.
• Fixed Scroll bar orientation on Mac OS X.
• Fixed an issue with anchor/link targets not re-using a named target.
• Fixed a build issue with Gnu-CC on PPC64.
• Fixed browser.link.open_newwindow functionality.

v28.5.2 (2019-06-05)

• Fixed issues with image/texture allocation incorrectly being marked as insecure.
  

v28.5.1 (2019-06-04)

• Restored a global getBoolPref() function shortcut for extension compatibility with old extensions.
  If you are currently using this global function, please change it to Services.prefs.getBoolPref()
• Fixed an issue with the UI when the address bar was removed from the navigation toolbar.
• Fixed an issue with scripting of the Help menu.
• Fixed a crash resulting from non-standard manipulation of XML stylesheets by extensions.
• Fixed Aero Peek (taskbar previews) on Windows.
  
• Fixed browser.link.open_newwindow functionality.
  Sorry, not yet! This will be in the next major update.
  
• Removed the default handler for webcal since the site doesn't seem to be properly maintained.
• Prevented some ways smart places queries could be abused for social engineering attacks.
• Ported an upstream Skia fix.
• Improved the origin-clean algorithm for canvases.
• Improved the efficiency of certain types of memory allocations in the JavaScript compiler.
• Changed the way the application update checker code is hooked up so it will not require a user to go idle before being activated.
  This solves the primary issue with application updates not notifying users as promptly as they should; more improvements are slated for the next major release.
• Applicable security issues fixed: CVE-2019-7317, CVE-2019-11701, CVE-2019-11698, CVE-2019-9817 (DiD), CVE-2019-11700, CVE-2019-11696, CVE-2019-11693, and several potentially exploitable crashes and memory safety hazards that do not have a CVE number assigned to them.
  

v28.5.0 (2019-04-30)

• Redesigned the about box.
• Added "Check for updates" menu entries to the AppMenu and classic menu (since the About box redesign no longer has application update in it).
• Restored the app.update.url.override pref for AUS testing/override.
• Added "Loop" control to html5 video.
• Fixed a crash with frames (e.g. when using Tile Tabs).
• Fixed an issue with textarea placeholders (spec compliance).
• Removed the Windows Maintenance Service one last time.
• Improved http basic auth DoS heuristics.
• Fixed an issue on big-endian machines (e.g. PPC64/linux).
• Removed e10s code from widgets.
• Preffed the various http "Accept" headers and aligned with the Fetch spec (except for image requests).
• Aligned URLSearchParams with the spec.
• Updated several site-specific UA overrides.
• Fixed "Yet Another special case of a flex frame being the absolute containing block"™
• Fixed border drawing when the tab bar is hidden.
• Pref-controlled and disabled the use of unboxed plain objects in JavaScript's JIT compiler.
• Improved handling of interrupted connections through proxies and pseudo-VPN extensions.
• Removed contextual identity.
• Updated the 7zip installer stub to a much more recent code version.
• Fixed an issue with applying percentages to 0 in layout sizes.
• Fixed an issue with calculating linear sums in JS JITed code.
• Added default value feature to get*Pref() preference functions.
• Fixed an issue that would occasionally overwrite the new tab custom URL.
• Updated the SQLite library to 3.27.2
• Killed the crashreporter toolkit files and exception handler hooks.
• Fixed an issue with a missing border on the tab bar when on the bottom.
• Fixed a crash with badly-formatted SVG files.
• Showed the robots to the exit after squatting in the browser for decades.
• JavaScript: Implemented TC39 toString() revision proposal.
• Rearchitectured the JavaScript front-end parser to provide better and more logical parsing of JS code.
• Removed support code and leftovers for unsupported SunOS, AIX, BEOS, HPUX and OS/2 operating systems.
• Fixed a scrollbar arrow issue on OS X.
• Removed all Firefox Accounts code.
• Made the CSS parser more robust and aligned url() behavior with the CSS3 spec in case of bad input.
• Fixed an issue with blocklist updates not actually dynamically applying due to a wrong URL.
• Updated the embedded emoji font to the TweMoji v11.4.0 equivalent.
• Fixed an issue with async/deferred scripts preventing page loads from completing.
  

v28.4.1 (2019-03-27)

• Fixed hover state arrows on some controls.
• Fixed potential denial-of-service issues involving FTP (loading of subresources and spamming errors).
• Disabled Microsoft Family Safety (Win 8.1) by default. This prevents security issues as a result of a local MitM setup.
• Added several site-specific overrides (Firefox Send and polyfill.io) to work around website UA-sniffing isues.
• Implemented the origin-clean algorithm for controlling access to image resources.
• Cleaned up the helper application service code.
• Ported applicable security fixes from Mozilla (CVE-2019-9791, CVE-2019-9792, CVE-2019-9796, CVE-2019-9801, CVE-2019-9793, CVE-2019-9794, CVE-2019-9808 and ZDI-CAN-8368).
  
• Implemented several defense-in-depth measures (for CVE-2019-9790, CVE-2019-9797, CVE-2019-9804, and a JavaScript issue).
• Fixed several memory safety hazards and crashes.
• Binaries are now code-signed again (including the setup program for the installer).
  

v28.4.0 (2019-02-19)

Changes/fixes:

• Removed more telemetry code from the platform.
• Fixed implementation of the IntersectionObserver API to avoid crashes, and enabled it by default.
• Switched to the new ffmpeg decode API to avoid dropping of frames.
• Fixed a buffering issue in the WebP decoder that caused intermittent browser crashes.
• Improved resource-efficiency for internal stopwatch timers.
• Improved handling of incorrectly-encoded CTTS in media files, resolving some playback issues of videos.
• Improved the Cycle Collector and Garbage Collector.
• Improved fullscreen navigation bar handling in the situation it has focus when switching to full screen.
• Aligned instanceof with the final ES6 spec.
• Improved Windows DIB (bitmap) clipboard data handling.
• Exposed TLS 1.3 cipher suite prefs in about:config in case people want to disable them individually.
• Allowed empty string on the location.search setter to clear URL query parameters from JS.
• Added a potential fix for external links not opening in the current window/tab (untested).
• Enabled C++11 thread-safe statics in the entire application.
• Updated several preferences for integration with the new add-ons site.

Security fixes:

• Fixed a potential use-after-free in IndexedDB code. (DiD)
• Improved proxy handling to avoid localhost getting proxied. (CVE-2018-18506)
• Ported upstream Skia fixes. (CVE-2018-18356, CVE-2018-18335)
• Fixed an additional Skia issue. (CVE-2019-5785)
• Fixed several potentially-exploitable memory safety hazards and crashes. (DiD)
• Fixed a possible data race when performing compacting GC.

v28.3.1 (2019-01-23)

• Improved toolbar icon display for all DPIs on Windows.
• Disabled the IntersectionObserver API by default while we work on resolving crashes caused by it.
• Added isIntersecting to the IntersectionObserver API per specification.
• Added an option to the preferences window to enable Captive Portal detection (Advanced -> General). If your network connection regularly encounters Captive Portals (e.g. using a laptop on the road or other WiFi connections that require login or agreement to terms) then enabling this detection may make your use of such networks more convenient.
  For those worried about privacy: the detection service makes use of our own infrastructure and does not contact third parties like Apple or Google.
  

v28.3.0 (2019-01-15)

• Added AV1 support for MP4/MSE videos. Please note that this is a reference library implementation and the upstream decoding lib currently has poor performance for higher resolutions (720p+). This is disabled by default; use the about:config preference media.av1.enabled to enable this codec.
  
• Changed the API used for video playback with FFmpeg 58+. This should solve performance issues with VPx.
• Redesigned the main toolbar icons as SVG images to make them HiDPI compliant.
• Fixed the sync notification (infobar) icon.
• Fixed a potential cycle collector resource leak.
• Added icons and controls to tabs to indicate if sound is playing the tab and if so, allowing the user to mute it with a click.
  This is a native implementation of the API in use in Basilisk and performs the same function as the "expose noisy tabs" extension, although the extension may still be preferred by some for e.g. skinning capabilities. The feature may be disabled with browser.tabs.showAudioPlayingIcon.
• Removed support for VR hardware.
• Fixed out-of-bounds sizes for CSS calculation strings.
• Removed the DirectShow component since it is no longer necessary.
• Removed Firefox Accounts integration, phase 1:
  
• Changed the Sync client to the one from Tycho.
• Made Sync optional at build time.
• Stopped trying to cater to addons.mozilla.org since they no longer offer anything useful to Pale Moon after the Great XUL Extension Purge™.
• Added an option to process favicons for optimal sized display and removing animations. Enable this with browser.chrome.favicons.process
• Fixed an incorrect preference reference in feed reader.
• Fixed an issue with lazy frame construction on display:contents elements. This should solve e.g. the use of mathjax in comments on stackoverflow.
  
• Media code improvements and cleanup (ongoing).
• Updated the DropBox useragent override to solve login issues.
• Fixed potential crashes due to shutdown observers in VTT and font lists. DiD
• Enabled some mistakingly-disabled optimizations in the JS JIT compiler.
• Fixed several potential crashes in JS. DiD
• Fixed several potential crashes in WebCrypto. DiD
• Fixed a potential crash in JS Range Analysis. DiD
• Fixed a potential crash in the layout engine due to combo boxes. DiD
• Fixed a potential shutdown crash in non-standard environments related to 2D Canvas. DiD
• Fixed a potential overflow in the PNG writer. DiD
• Fixed a potential double-free in the MAR signing utility. DiD
• Fixed an issue where URLs could be extracted cross-origin (CVE-2018-18494).
• Updated NSPR to v4.20.
• Updated NSS to 3.41, providing (among other things) full compatibility with the final version of TLS 1.3 on websites.
• Updated location.protocol to the latest spec.
• Updated Intersection Observers to the latest spec and enabled them by default.
• Updated the SQLite lib to 3.26.0.
• Fixed errors about the login manager's recipeManager not being available (yet).
• Switched status bar download arrow to SVG.
• Fixed a crash in IntersectionObservers.
• Fixed initialization of the Search service from browser code to avoid synchronous init.
• Added logging of performance warnings to devtools consoles.
• Fixed favicons in taskbar tab preview listings.
• Blocked Comodo IS dll < version 6.3 to prevent startup crashes.
• Fixed issues in the HTML form submit observer module.
• Limited resolving depth of CSS variables to a sane maximum (fixes cras.sh issue).
• Removed Mozilla's proprietary constructor on WebAudio's AudioContext, aligning it with the standard specification.
• Exposed the previously hidden preference in about:config for page thumbnail generation (some people prefer this for local privacy).
• Aligned Element.ScrollIntoView with the DOM specification. This improves, among other things, compatibility with the React framework.

v28.2.2 (2018-12-06)

• Changed the about:feeds icon for external applications to a generic icon, since that kind of access to executables is no longer allowed for security reasons.
• Fixed issues with copying/pasting bookmarks in the Library View.
• Fixed a crash occurring when using HTTP pipelining over some (broken) proxies.
• Fixed several issues with animated WebP display (animations stopping, corrupted frames on lossy images, etc.)
• Fixed an issue with the display of truncated GIF images.
• Fixed an issue with deleting recent history not working properly.
• Fixed incorrect duplicate compatibility mode preferences in about:config.

v28.2.1 (2018-11-16)

v28.2.0 (2018-11-13)

• Fixed a major performance issue with web workers.
• Fixed a rare crash on local networks with HTTP basic auth and unsupported cipher suites.
• Fixed a performance/timer issue when leaving the browser idle.
• Fixed an issue causing an empty dialog when launching executable files from the browser.
• Fixed an issue preventing making entries to disallow sites to store data for off-line use.
• Removed code to prevent extensions with binary components.
• Fixed an issue with common dialogs being sized incorrectly for their content.
• Fixed an issue with event handling on the tab bar that would cause frustrating behavior when trying to open/close tabs in rapid succession.
• Switched default behavior for scrolling when a context or pop-up menu is open to allow scrolling, like in v27. This also affects scrolling in very long menus, e.g. bookmarks.
  
• Added experimental Asynchronous Panning and Zooming (APZ) for desktop use.
• Re-enabled the use and parsing of ICC v4 color profiles.
• Removed telemetry code from the caching subsystem.
• Improved full-screen detection for suppressing status messages.
• Made all arguments passed to Init*Event() optional except the first for parity with other browsers.
• Cleaned up some internal installer code.
• Fixed making caret width configurable when dealing with CJK characters (regression).
• Fixed drawing of table borders consistently when zooming a page (regression).
• Exposed the "Save download location per site" pref in about:config.
• Improved media handling (ongoing).
• Added experimental support for AV1 in WebM videos (disabled by default).
  Note: this is for WebM only for now, so MP4 and MSE AV1 streams (e.g. YouTube) will not (yet) play.
• Removed the (defunct and incomplete) in-browser translation code.
• Fixed an issue with CSS Grid layouts unnecessarily shrinking element blocks.
• Fixed notification settings menu entry (opes about:permissions with relevant data now).
• Fixed the launching of an undesirable background content process for capturing page thumbnails.
• Fixed a focus issue in the bookmark properties dialog.
  
• Changed the setting for reporting CSS errors to the console to false by default, to prevent unnecessary performance loss for recording this data.
• Added control mechanisms for Opportunistic Encryption (both for alternative services and upgrade-insecure-requests) in preferences, and disabled this by default due to potential security and privacy issues with this transitional technology.
• Updated the default reported Firefox version in Firefox Compatibility Mode to prevent "too old Firefox" complaints on websites.
  
• Updated libnestegg, ffvpx, reader view components and several other modules from upstream.
• Implemented security fixes for CVE-2018-12381, CVE-2017-7797, a better fix for CVE-2018-12386 (DiD), CVE-2018-12401 (DiD), CVE-2018-12398, CVE-2018-12392, several Skia bugs, and several crashes and memory safety hazards that do not have a CVE number.
  

v28.1.0 (2018-09-20)

• Updated NSS to 3.38, removed TLS 1.3 draft version check since it's considered final.
• Reinstated RC4 as an optional encryption cypher for non-standard environments (e.g. old routing/peripheral networked hardware on LAN). RC4 and 3DES are marked weak and disabled, and will never be used in the first handshake with a site, only as last-ditch fallback when specifically enabled (meaning they won't show up on ssllabs' test, for example).
• Removed Telemetry accumulation calls, automatic timers and stopwatches. This removes a very noticeable performance sink for all operations on all platforms.
• Fixed many occurrences of discouraged types of memory access for primarily GCC 8 compatibility. This improves overall code security as a defense-in-depth measure.
• Re-implemented the pref-controlled custom background color for standalone images.
• Updated session history handling for internal pages. about:logopage is no longer stored in history, and you can choose to store the QuickDial page in history by setting the pref browser.newtabpage.add_to_session_history to true. This is disabled by default (meaning you can't use the "Back" button to go back to the QuickDial page) as a defense-in-depth security measure.
• Added ui.menu.allow_content_scroll to control whether content can be scrolled if a context menu is open.
• Fixed incorrect code removal in ipc.
• Removed support for TLS session caches in TLSServerSocket.
• Added support for local-ref as SVG xlink:href values.
• Changed the find bar to be a browser-global toolbar again (like in Pale Moon 27) instead of per-tab. For people who prefer search terms to be saved on a per-tab basis (like with the per-tab findbar previously), this is possible by setting findbar.termPerTab to true. This resolves a number of issues, including styling with lightweight themes not applying to the find bar, and status pop-ups overlapping the find bar.
• Ported all relevant security fixes from Mozilla's Gecko/62 release, including CVE-2018-12377 and CVE-2018-12379.
• Restored part of the searchplugin API that was removed by Mozilla, so extensions can provide and save edits to installed search engines.
• Improved the speed of restoring browsing sessions upon startup.
• Fixed the "Restore previous session" button sometimes being missing from about:home, while a restorable session would be present.
  
• Fixed tab previews in the Windows taskbar (if enabled).
• Fixed the setting of the new tab page being "My Home Page" so it'll pick up subsequent changes to the home page URL automatically.
• Removed the Firefox Accounts migrator from Sync.
• Fixed an issue with the enabled state of number controls if appearances changed.
• Stopped building ffvpx on 32-bit platforms (except windows) to use the (faster) system-installed lib instead.
• Re-added a horizontal scroll action option for mouse wheel. (regression)
• Fixed handling of content language if the locale is changed.
• Fixed document navigation with the F6 key.
• Fixed toolbar styling in toolkit themes.
• Fixed viewing the source of a selection.

v28.0.1 (2018-08-31)

• Backed out a Mozilla upstream patch causing issues with IPC and texture allocation for the compositor.
• Backed out a Mozilla upstream patch causing issues with Javascript memory buffer allocation.

v28.0.0.1 (2018-08-28) - Windows only

v28.0.0 (2018-08-16)

• SpiderMonkey update: The JavaScript engine has received a major upgrade and now supports all landmark features from the ECMAScript standards as carried by mainstream browsers. This should put an end to the increasing JavaScript issues we've seen due to web frameworks not being browser-agnostic in that respect, or the browser not supporting what websites expect.
• Goanna update: The layout and rendering engine (Goanna) has been updated to its 4th generation (version 4.*) which brings with it improved compatibility with "trendy" CSS styling techniques that build on a few very specific features (e.g. CSS Grid). Goanna continues to build on tried-and-tested software fallbacks in case hardware acceleration can't be used, and Linux remote desktop users can continue to leverage xrender for speedy remote screen updates in Pale Moon.
• DOM enhancements: Enhancements in the Document Object Model provides websites with updated APIs to perform their tasks. (e.g. Fetch, WebAnimations, WebCrypto, HTML Input Element Extensions, etc.)
• Media enhancements: Our media back-end update is, for all intents and purposes, complete. MSE media streaming (for MP4) should be compatible with all major players on the market now. MSE for WebM is still disabled by default due to some compatibility issues that need to be examined, but you may enable this in preferences to e.g. allow 4k video playback on some sites that only offer UHD in WebM format. We now also support playback of FLAC-encoded audio.
  
• New: WebGL2 support! Pale Moon now supports the WebGL2 standard for enhanced graphical experiences in 2D and 3D.
• Devtools have been given a refresh. Just in case you thought they weren't extensive enough yet, some new categories have been added to inspect and manipulate all aspects of web content.
• Updates to the login manager: Login credentials can now be stored specifically with or without a user name, and selected individually. This is a behavior change from previous, and clicking a password field can now pop-up a selection list of user names for which passwords are stored (if multiple credentials are saved). Clicking the appropriate login name (or date-stamped version if no name is present) will fill in the accompanying password.
• We no longer support Windows Vista.
  

• We continue to support NPAPI plugins.
• We continue to support complete themes as well as lightweight themes.
• We continue to offer a fully customizable interface like before. Australis (like seen in Basilisk) is not used.
  
• We continue to support XUL overlay, bootstrapped and (deprecated) Jetpack extensions (collectively called "legacy extensions" by Mozilla).
  
• We do not include any DRM in the browser (people needing this can use e.g. the Silverlight plugin to play protected content), even though the platform we build on supports it.

Release notes for previous versions (unsupported)