Pale Moon: Release notes

v33.8.0 (2025-07-01)

• Pale Moon now includes all non-ubiquitous image and media types in the navigation Accept: header, as discussed in the relevant whatwg fetch spec issue.
• Implemented .toJSON() for DOMRect, DOMPoint and DOMMatrix.
• Added a base implementation of the SVGGeometryElement API. This is currently limited to .pathLength, getTotalLength() and getPointAtLength(distance)for SVG paths.
  
• Added a base-64/character validity grammar check for CSP nonces.
• Enabled JPEG-XL support unconditionally.
• Improved desktop ARM media capabilities.
• Improved our handling of CSP checks (multiple improvements surrounding loading principal checks).
• Added several Mac-specific file types to be treated as executables.
• Updated the emoji font to Unicode 16.0.0. We can now finally have the "tired dev" emoji 🫩!
• Updated SQLite library to 3.50.1.
• Updated NSS to 3.90.7.1 to fix some issues with some sites due to prior root certificate updates.
• Updated code dealing with internal URL rewrites for Youtube.
  
• Changed the Firefox compatibility mode version to 128.
• Changed how .click() on <A> elements is handled. See implementation notes.
• Changed DOMMatrix's rotate() and rotateSelf() functions to accept 3D rotation instead of 2D, per spec.
• Changed CSS parameter animation to round values instead of truncating them, per spec.
  This affects all integer properties (e.g. z-order) and font-stretching.
• Changed HTML element attribute parsing to additionally escape < and > characters, per spec.
  
• Fixed a regression in XUL <tree> elements where column selection would omit the first-defined column.
• Fixed a minor issue in DOMSVGPoint finity checks.
• Fixed some minor platform issues and updated Mac SDK checks.
• Fixed an issue when device contrast values would be unset in Mac or Windows+DirectWrite.
• Fixed an issue in 33.7.2's updated "Copy as curl" feature which could potentially mangle URLs.
• Fixed an issue with FontFaceSet loading.
  
• Removed support for very old libavcodec versions (before v58).
• Removed the CSP referrer directive as it's no longer in the spec.
• Removed preloading of a number of media libraries on Windows. See implementation notes.
• Removed the allowance of <A> in image maps. Only <area> is now supported.
• Removed several obsolete and unused preferences from about:config.
• Removed obsolete NPN preferences and calls. NPN has long since been replaced by ALPN.
• Removed obsolete SVGZoomEvent interface and handlers.
• Security issues addressed: CVE-2025-6429, CVE-2025-6424 (DiD) and CVE-2025-6426.
  

• Normally, when a script issues a simulated click on an element, that click is issued on the document the element is in. Unfortunately there has been a perceived bug in mainstream browsers where this didn't happen on anchors (<A>, hyperlinks) and the browser would navigate even if that anchor was not actually in a web page document (i.e. just created as a reference in scripting). This was eventually made an accepted behaviour in the specification as an exception, describing this bug as expected behavior. Pale Moon has now changed how it handles .click() events on anchors to follow this behavior. This primarily impacts some select "download button" behavior on the web where this behavior quirk for anchors is relied on.
• Previously, Pale Moon would preload a number of media .dll files into the browser, causing resource use even if there was no media to be decoded or played back in the browsing session yet. This was primarily done in inherited Mozilla code for EME to work. Since we don't support in-browser DRM, this preloading is wholly unnecessary and has been removed.

v33.7.2 (2025-06-03)

• Addressed PWN2OWN-2025-1 (out of bounds read or write in promise) DiD
• Addressed PWN2OWN-2025-2 (out of bounds read or write when using the ExtractLinearSum optimization) DiD
• Fixed potential unexpected behavior in embedded protobuf code. DiD
• Fixed an issue with potentially uninitialized contrast values when enhanced device contrast values can not be read from the O.S. DiD
• Fixed potential sanitization issues with devtools' "Copy as curl" feature.
  It should be noted that we do not currently offer cross-platform "curl" features, so this is another DiD for this release.

v33.7.1 (2025-05-06)

• Fixed a crash dealing with BigInt in Javascript compilation.
• Updated NSS to 3.90.7 to pick up a security fix.
• Updated devtools to escape some more characters in "Copy as cURL" on POSIX operating systems. DiD

v33.7.0 (2025-04-08)

• Implemented CSS two-location color stop logic. This allows for two-location color stops (`color x% y%`) in gradients, which is shorthand for `color x%, color y%` where both colors are equal.
  
• Our minimum GCC version requirement to build is now 9.1.
  
• Improved channel handling when CSP blocks network redirects.
• Implemented several fixes for CORS preflight requests.
  
• Added explicit whitelisting from CSP content loading of javascript: scheme URLs.
• Updated the ffvpx library to 6.0.1, this time preventing video color range regressions. An update to 6.0 was previously backed out in 33.5.0.
  
• Updated the JPEG-XL library to 0.11.1 to pick up several fixes and improve decoding compatibility of jxl files.
• Updated the SQLite library to 3.49.1.
• Fixed a spec compliance issue with DOMRect and DOMQuad returning 0 if NaN was present. We now return NaN in that case, per spec.
• Fixed a spec compliance issue with NTLM authentication. We now compute Channel Binding Hashes using the certificate signature's hash algorithm, per spec.
  Note that particularly weak algorithms are not used and SHA256 will be used as a minimum, instead, in those cases.
  
• Fixed a buildability issue on Mac with XCode 16.3.
  
• Added some additional safety checking to SharedArrayBuffers.
• Added some additional safety checking to XSLT compilation and transformation.
• Windows only: Added a preference widget.windows.follow_shortcuts_on_file_open to control how Windows File Open dialogs handle shortcut links. See implementation notes.
• Security bugs addressed: CVE-2025-3028 (DiD) and CVE-2025-3033 (see implementation notes).

• Windows only: This version introduces a new (numeric) preference to control how the "Open File" dialogs handle shortcut links in the file system.
  A low-severity security issue (CVE-2025-3033) was found that in some specific circumstances could allow a malicious actor to convince a user to upload an unintended file from their file system with a specially-crafted shortcut file. To mitigate this, a special flag can be passed to File Open dialogs which prevents the dialogs from parsing shortcut links and navigating to target files and folders based on the shortcut file contents. This can be controlled with the newly-added preference. Since this flag, when set, also prevents users from navigating "through" shortcuts to folders (from e.g. the desktop) and would instead open/attach/upload the shortcut file itself, this would be disruptive to many users' workflows. Considering the major usability drawback and the low-severity nature of the security issue (which would require considerable social engineering to pull off), Pale Moon, at least for the time being or until a better solution is found, will continue allowing the following of shortcuts and navigating through them to target folders and files in File Open dialogs. If you are overly cautious, you may want to set this preference to the value 0 which always prevents shortcut parsing and following. For everyone else, just a warning to please stay safe and never follow strange sequences of instructions from strangers that you don't exactly know what they do (and never take their explanations at face value).
  

v33.6.1 (2025-03-11)

• Simplified some WASM code generation in the Ion JIT compiler.
• Fixed a crash in loading external resource maps.
• Disabled potentially unsafe attempts at recovering JIT operations.
• Fixed some minor linking issues in about:rights.
• Updated the embedded emoji font to fix incorrect display of some of the wheelchair emoji.
• Security issues addressed: CVE-2025-1934 (DiD).

v33.6.0.1 (2025-02-20)

• Disabled CSP reporting temporarily to work around memory issues caused by CloudFlare's scripting. While CSP reporting is important to inform webmasters of issues with their content security policies, not having the browser eat up all memory is more critical. We do intend to re-enable this when the issue is resolved on CloudFlare's side.
  
• Improved CSS grid performance to avoid exponential calculations and reflows caused by CloudFlare's scripting. This wasn't a bug, per se, but could easily lock up with bad scripting if called recursively.
• Added a few other small fixes that are tangentially related to the code changes made.

v33.6.0 (2025-02-07)

• Implemented a content sniffer for ADTS and raw AAC audio.
• Implemented AbortSignal.abort() and stub AbortSignal.timeout().
• Unprefixed the :modal CSS pseudo-class and exposed it to content.
• Improved efficiency and performance of the Cycle Collector.
• Added a check for explicit expectance of a percentage value in CSS HSL for the S and L components.
• Updated the cookie storage database to no longer use BaseDomain. See implementation notes.
  
• Updated CSS grid handling to no longer apply auto min-sizing when flex max-sizing (browser parity).
• Updated the root certificates in the internal trust store.
• Updated the Public Suffix List (eTLD) in the browser.
• Removed no longer specced URL Constructor(DOMString url, URL base).
  
• Restored unofficial branding to what it was before ("New Moon" instead of "Browser").
• Changed the default Firefox Compatibility user-agent version to 115.0.
  
• Fixed an issue where cloned <audio> or <video> elements would not respect the original element's muted state.
  
• Fixed a number of bugs and spec compliance issues in WebCrypto.
  
• Fixed installer application naming issue causing failure to detect running application.
  
• Fixed a crash when Interval handlers are present in scripts that are automatically terminated due to excessive runtime.
  
• Fixed a crash in JS Structured Cloning when the input would be bogus (CloudFlare-triggered crash).
  
• Fixed a crash in the XSLT stylesheet importing code.
  
• Updated NSS to 3.90.6 (custom) to pick up several security fixes.
• Security issues addressed: CVE-2025-1009.

• When updating the browser to this version, a one-way upgrade of the cookie database in your browser profile is performed on first start. The new cookie database is not backwards compatible, meaning you cannot use the browser profiles that have been upgraded by this version or later with any prior versions of the browser without data loss.
  This is generally the case as most upgrades of user data storage are one-way, but having all your cookies cleared unintentionally is something most people prefer to avoid, hence this warning and a general reminder of profile migrations to newer versions that may happen with any (non-minor) browser upgrade.
  

v33.5.1 (2025-01-15)

• Changed the way cookies are handled internally to fix an issue with cookie database corruption as a result of updates to domain suffixes.
• Fixed an issue with Alternative-Services protocol negotiation.
• Fixed a potential crash scenario with Structured Clone operations. DiD
• Fixed a potential issue with line breaking if out of memory.
• Fixed a rare crash with opportunistic encryption.
  
• Minor code cleanup.
• Security issues addressed: CVE-2025-0239 and CVE-2025-0238.
  

v33.5.0 (2024-12-05)

• Implemented Regular Expression "match indices" (/d) feature.
  
• Added a way to programmatically clear the DNS cache in the browser, and added a button to the UI for it in about:networking.
  
• Updated handling of referrer policies to adhere to the updated spec.
  
• CSS font variations keywords no longer throw an error. See implementation notes.
  
• CSS border-radius will now also apply to element outlines.
  
• Improved the display of amount of cached web content in preferences when cache is being cleared.
  
• Improved the installer AVX check to skip on early versions of Windows 10 (which don't support it).
• Updated NSS to 3.90.5 (unofficial) to pick up some security fixes.
  
• Refreshed the built-in list of effective top-level domains.
  
• Fixed several application crashes.
  
• Reduced unnecessary debug/informative messages in release builds (WebGL and CSP).
• Backed out building against ffmpeg 6.0 and ffvpx 6.0 for causing a video playback regression on full-range videos (levels 0-255).
  
• Cleaned up a large amount of leftover Boot2Gecko code, simplifying code paths throughout the code base.
• From this version forward we also publish language packs for Persian (Farsi), Hindi, Kannada and Vietnamese.
  
• Security issues addressed: CVE-2024-11693 and CVE-2024-11704 (DiD).

• The CSS font variations keywords (woff2-variations, truetype-variations, etc.) allow webmasters to indicate format hints for @font-face font resources so authors can provide alternative resources for browsers that don't support tech(variations). The intent of these hints is to provide an alternate font with variations in addition to regular fonts without. Unfortunately, some webmasters don't indicate a base font the variation font face would be an alternate for, which resulted in Pale Moon throwing an error on the only @font-face src entry provided, in turn having the web font not being loaded at all (because no valid entry was found), breaking website layout. From this version onwards, we parse the -variations keywords allowing variation alternative font-faces to be loaded, even if no base font was specified. To webmasters only supplying @font-face entries with variations keywords: please understand the intent of this CSS 4 spec and always provide a base font entry (graceful fallback).

v33.4.1 (2024-11-05)

• Added a processor check to the 64-bit installer for Windows to check for AVX.
  Note: this check does not work on Window 7/8/8.1 and will allow installations on non-AVX processors there.
  Note: if you are running Windows 10 before build 2004 (before 20H1), this check may fail on AVX-capable CPUs and prevent installation.
• Improved handling of multipart/mixed documents. (CVE-2024-10461 and CVE-2016-2816) DiD
• Addressed CVE-2024-10463.

v33.4.0.1 (2024-10-09)

• Extension compatibility issues with the ghostbuster (leading to tab handling problems).
• Windows 7 compatibility issues in 32-bit builds on some systems (leading to application UI paint failures/black window).
  

v33.4.0 (2024-10-08)

• Introduced the "ghostbuster" concept; this is an automated internal mechanism to attempt cleanup of particularly problematic web content after a tab or window is closed. See implementation notes.
• Added support for the PROT_MPROTECT security feature on targets that use it (notably PaX and NetBSD).
• Implemented preferences to give the user control over the Same-Origin Policy (SOP) and CORS preflight. See implementation notes.
• Improved buildability on NetBSD and Altivec architectures.
• Fixed building issues on Apple Silicon Mac with XCode 16.
• Added workarounds for non-standard MSE/WebM/VPx encoding on YouTube that could cause video buffering and halting issues.
• Dev: Changed the default credentials mode for module scripts from 'omit' to 'same-origin', aligning with mainstream.
• Dev: Implemented getTransform and setTransform with DOMMatrix arguments.
• Dev: Implemented ES2023 Hashbang grammar proposal.
  
• Fixed an issue with JavaScript's StructuredClone.
• Security issues addressed: CVE-2024-9396.
• Rejected: CVE-2024-9398 (properly informing the user about attempts to use unhandled protocols by web pages is considered more important than potential determination whether a handler for such a protocol is installed)

• When very complex "modern" websites get closed by the user, it is possible that the browser is unable to properly release all the resources attached to it, especially those resources, modules and scripts that were part of Shadow DOM or complex interlinked module scripts. This can then result in "detached" web content and scripts that continue to use memory, have active event listeners and loaded scripts. Mainstream browsers are less affected by this as their multi-process setups will effectively "throw the baby out with the bath water" by simply killing the relevant content process. Since we don't have that luxury of a lazy solution to an architectural problem, we need to handle these so-called "ghost windows" resulting from this problem internally without restarting the browser process. This version of Pale Moon introduces the "ghostbuster" concept to try and address this: an automated, internal mechanism that periodically checks for the existence of ghost windows and severs links of them, so that garbage/cycle collection can come in afterwards and release the resources, hopefully preventing browser slowdowns and inflated memory usage over time. If this, for some reason, causes issues for you, you can disable the ghostbuster by setting the preference browser.ghostbuster.enabled to false. Also please report (in detail) on the forum about the issue you're having if flipping this preference to false resolves it, so we can look into improving this new feature.
• By user request, primarily for advanced power users who need this for their local setups, 2 new preferences were introduced to control how the browser deals with same-origin and CORS.
  
  • security.same_origin_policy.enabled, when set to false, will completely disable checking if scripts are allowed to be loaded based on the same-origin policy. Security warning: this is a really bad idea on the open web and you should never blanket disable the Same-Origin Policy check in a web browser for normal use.
  • content.cors.bypass_preflight_request, when set to true, will no longer send CORS preflight requests or check preflight responses and always allow cross-origin requests. Note that this kind of request is normally only made if sending a request to a server might result in data changes server-side (e.g. POST). This preference only does something when CORS is already disabled; provided primarily for specific corner cases where CORS is disabled and preflight checks (providing an extra safety net for server data) need to be shut off too.
  There are dragons hiding in these two preferences. Please handle them responsibly.

v33.3.1 (2024-09-10)

• Backed out support for FFmpeg 7.0/libavcodec 61 (Linux) due to it causing a major regression in WebAudio (broken on all platforms). This is being worked on to re-land at a later date.
• Restricted the NotifyPaintEvent interface to chrome code only; there is no reason (other than potential tracking/fingerprinting) to have this accessible from content.
• Fixed a potentially exploitable issue in JavaScript (FetchName).
• Fixed a code correctness issue in XPConnect when creating sandboxes. DiD
• Added a warning for using externally handled usenet protocols.
• Security issues addressed: CVE-2024-8383 and CVE-2024-8381.

v33.3.0 (2024-08-13)

1. From this version forward, all 64-bit releases require a processor with AVX capabilities! Please keep an eye on the forum for announcements of 64-bit SSE builds by the community if you are on particularly old or otherwise limited hardware that does not support AVX.
2. For Linux users: Starting with this version, our binaries are built with gcc 11 on a still conservative but more modern build platform (Oracle Linux 8). As a result, there may be some lib incompatibilities if you are still running on a particularly old distro for some reason. While we try to serve as broad of a Linux base as possible with our binaries, our lowest common denominator will occasionally shift to newer distros as a result of O.S. life cycles, compiler capabilities and available libraries.

• Implemented the bulk of the CSS "cascade layers" spec (@layer{}). This implementation is not 100% complete yet, but should satisfy common use of CSS cascade layers on the web.
  
• Implemented support for Sec-Fetch-* headers, implementing another mechanism to deal with site security. See this part of the spec for a primer on what this does.
• Added support for FFmpeg 7.0 / libavcodec 61 (Linux).
• Pale Moon will now look up hosts in DNS ahead of time to make page navigation smoother. See implementation notes.
• Pale Moon will now block access to the reserved address 0.0.0.0 on non-Windows operating systems. See implementation notes.
  
• Dev: Aligned rounding behavior and precision ranges of toFixed and related functions with the spec. See implementation notes.
• Dev: Aligned isTrusted for PostMessage and BroadcastChannel with expected values on the web. See implementation notes.
• Dev: Added the navigator.webdriver attribute for web compatibility (always false in Pale Moon as we do not support browser automation APIs).
  
• Re-implemented the Durstenfeld shuffle for plugin enumeration that was unfortunately dropped with one of our past rebases, to strengthen fingerprinting resistance.
• Fixed an issue with character clusters (e.g. for text selection) resulting from a regression surrounding our improvements for emoji handling.
• Fixed an issue with setting DOM color values. DiD
• Slightly improved password form handling, detecting previously unsupported field orders.
  
• Updated NSS to 3.90.4.
• Updated our emoji font to 15.1.2 (Unicode 15.1 with some additional extras/updates).
  
• Code cleanup:
  
• Removed unused code related to the (incomplete) FoxEye experiment.
• Removed support code for LibAV and (very) old versions of FFmpeg. We require libavcodec 58 or later (FFmpeg 4.0+) from this version forward (Linux).
• Removed click event dispatching code that is no longer relevant.
• Cleaned up internal macro use in CSS code (this does not impact any exposed APIs or code).
• Removed the hidden network.dns.disablePrefetchFromHTTPS pref. DNS prefetching should not be treated differently for http and https.
• Security issues addressed: CVE-2024-7531.

• Pale Moon will now pre-emptively look up the internet addresses in DNS for website navigation (e.g. from links). This speeds up navigation as there will be no delay for DNS lookups when users navigate to a new host or domain from the visited page. Please note that this only deals with DNS (i.e.: looking up the addresses of websites in the domain name system) and Pale Moon will not pre-emptively connect to the servers in question; it will just have the addresses for them ready in case the user decides to navigate to them.
  For some people, this may still be seen as a privacy issue (e.g. when the DNS server operated within an organization is tightly monitored for "unwanted traffic") as it will regularly fire DNS lookups for hosts or domains the user doesn't actually visit, so if this is a concern for you and you wish to revert to our previous behavior, go to Preferences -> Advanced -> tab "Network", and uncheck "Prefetch DNS lookups".
• Pale Moon will no longer allow connecting to the "this machine" special reserved address 0.0.0.0 (and IPv6 equivalents [::]/[::0.0.0.0]) on operating systems other than Windows. This is to mitigate potentially unrestricted access to local resources on UNIX-like operating systems due to the way the network stack operates there. If needed for your use case, you can control this behavior through the preference network.dns.blockQuad0 -- if set to true, any attempt to connect to the reserved addresses will result in an error.
  
• We aligned behavior of number conversions with what is generally expected on the web by mainstream browser engines and/or updated specs. Specifically, toFixed no longer accepts negative precision ranges, and toExponential will now round up at the midpoint in the decimal significand.
• Initially, the mechanisms BroadcastChannel and MessagePort implicitly called for dispatched events to not be trusted, but since browsers marked them as trusted, this was in conflict with the spec. Eventually, the spec for this was changed to make them trusted in this case. Pale Moon now follows this behavior as well.