
Main *Pale Moon Homepage* Pale Moon Start Page Pale Moon Linux Site Pale Moon Add-ons Site Pale Moon Developer Site Pale Moon Forum Basilisk homepage Information Release notes The project > General information Rumor Control Project history Roadmap Pale Moon branding Technical details Screenshots Bounty Program Donations and Support Redistribution Download Pale Moon > Pale Moon for Windows Pale Moon for Linux Pale Moon Portable Pale Moon language packs Other > 3rd Party Builds Archived versions [DEV] Source code Add-ons Extensions Themes Search Plugins Language Packs More... Tools Pale Moon Sync service Profile Backup tool Pale Moon Commander Pale Moon Tab Groups Flash Protected Mode tool Help Forum F.A.Q. Contact Contact
Pale Moon: Release notes General notes: DiD This means that a fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered. Rejected security patches: This means that patches were theoretically applicable to our code but considered undesirable, which could be due to unwanted changes in behavior, known regressions caused by the patches, or unnecessary risks for stability, security or privacy. v32.0.0 (2023-01-24) This is a new milestone release. Primary focus for this milestone is web compatibility, in particular Regular Expression extensions, standards compliance issues and further JPEG-XL support. This milestone now offers full coverage of the ECMAScript 2016-2020 JavaScript specifications, with the exception of `BigInt` primitives. Special thanks to Martok, Job Bautista and FranklinDM without whom this milestone would not have been possible, and to dbsoft for putting in the effort to work on Mac and FreeBSD builds. Most important changes: Implemented Regular Expression named capture groups. Implemented Regular Expression unicode property escapes. Re-implemented Regular Expression lookaround/lookbehind (without crashing this time ;) ). Implemented progressive decoding for JPEG-XL. Implemented animation for JPEG-XL. Implemented a compatibility mode for `<button>` elements. See implementation notes. Renamed CSS `offset-` properties to `inset-` to align with the latest spec and the web. Fixed CSS inheritance and padding issues in some cases. Aligned parsing of incorrectly duplicated HSTS headers with expected behavior (discard all but the first one). Implemented a method to avoid memory exhaustion in case of (very) large resolution animated images. Updated the JPEG-XL and Highway libraries to a recent, stable version. Cleaned up some unused CSS prefixing code. Improved the ability to link on *nix operating systems with other linkers than gcc's default. Stability improvements (potential crash fixes). Security issues addressed: CVE-2023-23598, CVE-2023-23599 and several others that do not have a CVE number. UXP Mozilla security patch summary: 4 fixed, 2 DiD, 19 not applicable. Platform support: We're working on finalizing official builds for Mac OS and FreeBSD. These are currently in beta and can be downloaded from the Contributed Builds page. Please note that you may run into some system compatibility issues with these builds. If you do, please go to the forum and report it in the appropriate board! Implementation notes: To provide users with a temporary work-around for non-compliant websites, a compatibility mode for `<button>` elements was implemented, which will treat `<button>` elements as generic containers instead of actual form button elements. This has been necessary because Chrome is not standards compliant in this respect and website developers regularly make the mistake of trying to use active content on button faces and expecting pointer events to end up being sent to the active content and not the button (which is not what the standard prescribes! See "content model" on the standards page stating there "must be no interactive content descendant"). Webmasters should be alerted to this compliance issue, but it can (temporarily) be worked around in the browser from this point for forward by setting the preference `dom.forms.button.standards_compliant` to `false` and restarting the browser. Note that this is a workaround and the only actual solution is advocacy for the standard and more browsers becoming standards compliant. You can find the release notes for previous releases of Pale Moon on the Archived Release Notes page.
Site and contents Copyright © 2009-2022 Moonchild Productions - All rights reserved Pale Moon is subject to the following licensing. Policies: Cookies - User Content - Privacy.

Pale Moon: Release notes

General notes:
DiD This means that a fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.
Rejected security patches: This means that patches were theoretically applicable to our code but considered undesirable, which could be due to unwanted changes in behavior, known regressions caused by the patches, or unnecessary risks for stability, security or privacy.

v32.0.0 (2023-01-24)

This is a new milestone release.
Primary focus for this milestone is web compatibility, in particular Regular Expression extensions, standards compliance issues and further JPEG-XL support.
This milestone now offers full coverage of the ECMAScript 2016-2020 JavaScript specifications, with the exception of BigInt primitives.
Special thanks to Martok, Job Bautista and FranklinDM without whom this milestone would not have been possible, and to dbsoft for putting in the effort to work on Mac and FreeBSD builds.

Most important changes:

Implemented Regular Expression named capture groups.
Implemented Regular Expression unicode property escapes.
Re-implemented Regular Expression lookaround/lookbehind (without crashing this time ;) ).
Implemented progressive decoding for JPEG-XL.
Implemented animation for JPEG-XL.
Implemented a compatibility mode for <button> elements. See implementation notes.
Renamed CSS offset-* properties to inset-* to align with the latest spec and the web.
Fixed CSS inheritance and padding issues in some cases.
Aligned parsing of incorrectly duplicated HSTS headers with expected behavior (discard all but the first one).
Implemented a method to avoid memory exhaustion in case of (very) large resolution animated images.
Updated the JPEG-XL and Highway libraries to a recent, stable version.
Cleaned up some unused CSS prefixing code.
Improved the ability to link on *nix operating systems with other linkers than gcc's default.
Stability improvements (potential crash fixes).
Security issues addressed: CVE-2023-23598, CVE-2023-23599 and several others that do not have a CVE number.
UXP Mozilla security patch summary: 4 fixed, 2 DiD, 19 not applicable.

Platform support:

We're working on finalizing official builds for Mac OS and FreeBSD. These are currently in beta and can be downloaded from the Contributed Builds page. Please note that you may run into some system compatibility issues with these builds. If you do, please go to the forum and report it in the appropriate board!

Implementation notes:

To provide users with a temporary work-around for non-compliant websites, a compatibility mode for <button> elements was implemented, which will treat <button> elements as generic containers instead of actual form button elements. This has been necessary because Chrome is not standards compliant in this respect and website developers regularly make the mistake of trying to use active content on button faces and expecting pointer events to end up being sent to the active content and not the button (which is not what the standard prescribes! See "content model" on the standards page stating there "must be no interactive content descendant"). Webmasters should be alerted to this compliance issue, but it can (temporarily) be worked around in the browser from this point for forward by setting the preference dom.forms.button.standards_compliant to false and restarting the browser. Note that this is a workaround and the only actual solution is advocacy for the standard and more browsers becoming standards compliant.

You can find the release notes for previous releases of Pale Moon on the Archived Release Notes page.