
Main Pale Moon homepage Pale Moon Start page Basilisk homepage Information Release notes The project > General information Rumor Control Project history Roadmap Pale Moon branding Technical details Screenshots Bounty Program Donations and Support Redistribution Awards Download Pale Moon > Pale Moon for Windows Pale Moon for Linux Pale Moon Portable [DEV] Unstable versions Pale Moon language packs Other > 3rd Party Builds Archived versions [DEV] Source code Add-ons Extensions Themes Search Plugins Language Packs More... Tools Pale Moon Sync service Profile Backup tool Pale Moon Commander Pale Moon Tab Groups Flash Protected Mode tool Help Forum F.A.Q. Contact Contact
Pale Moon: Release notes General note: DiD This means that a fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered. v28.17.0 (2020-12-18) This is a development, bugfix and security update. Changes/fixes: Changed the way dates and times are formatted in the UI to properly adhere to the user's regional settings in the O.S. Re-enabled the DOM Filesystem API for web compatibility. Moved the global user-agent override to the networking component. See implementation notes. Worked around crashes and run-time issues with module scripts. See implementation notes. Fixed a website layout issue with table-styled elements potentially overlapping when placed inside a flexbox. Fixed some code logic issues with websockets. Fixed a regression when waking the computer from standby causing high CPU usage in some uncommon situations. Updated the list of prohibited ports the browser can use. See implementation notes. Updated root certificates. Windows: Changed the way downloaded files without an extension are handled. See implementation notes. Mac-beta: Improved version detection of MacOS including Big Sur. Security issues addressed: CVE-2020-26978 and CVE-2020-35112. Unified XUL Platform Mozilla Security Patch Summary: 2 fixed, 1 deferred to the next release, 16 not applicable. Implementation notes: The global user-agent override was moved to the networking component where it is actually implemented. The new preference name is `network.http.useragent.global_override`. Please note that using a blanket override is normally (very) counterproductive and does not, in fact, help much with privacy. It would also override the compatibility modes (Native/Gecko/Firefox) in Pale Moon. As such, the browser will now warn you if the user-agent is globally overridden (in preferences) and allow you to easily reset that override and re-enable the various compatibility modes. Module scripting caused some persistent and very hard to track browser crashes that we've narrowed down to a specific optimization in the JavaScript JIT (Just-In-Time) compiler (IonMonkey). This optimization is now disabled by default but if you need that little extra performance (usually only noticed in very optimized code or some benchmarks) then you can re-enable it, trading in stability, by setting the new preference `javascript.options.ion.inlining` to `true`. Prohibited ports: Pale Moon maintains a blacklist of ports the browser may normally not connect to on servers, to mitigate abusive web scripting employing your browser as an attack bot on servers (e.g. by connecting to mail servers or what not), NAT slipstreaming, and similar security issues. To more thoroughly prevent known abusable ports on servers, this list was extended with a number of additional default ports for various non-http protocols. Downloaded files without a file extension: When a file without an extension is downloaded, we will now open the download folder where you may choose to take any specific action manually, instead of trying to execute it as a program or through an associated program. v28.16.0 (2020-11-24) This is a development and security update to the browser. Note for Linux users: With CentOS 6 going end-of-life, this version will be the last for which we will be building 32-bit Linux official binaries to download. While your distribution may choose to continue offering 32-bit versions of the browser, built from source by the maintainers, we won't be offering any further official 32-bit Linux binaries on our website. Please check with your distribution's package maintainers to know if further 32-bit support will be available on your particular flavor of Linux. Changes/fixes: Aligned CSS `tab-size` with the specification and un-prefixed it. Updated Brotli library to 1.0.9. Updated JAR lib code. Optimized UI code, resulting in smaller downloads and less space consumed on disk. Changed the default Firefox Compatibility version number to 68.0 (since versions ending in .9 makes some frameworks unhappy, refusing access to users) Cleaned up HPKP leftovers. Disabled the DOM filesystem API by default. Removed Phone Vibrator API. Fixed an issue where the software uninstaller would not remove the program files it should. Fixed a devtools crash related to timeline snapshots. Fixed an issue in Skia that could cause unsafe memory access. DiD Fixed several data race conditions. DiD Fixed an XSS vulnerability where scripts could be executed when pasting data into on-line editors. Linux: Fixed an overflow issue in freetype. Security issues addressed: CVE-2020-26960, CVE-2020-26951, CVE-2020-26956, CVE-2020-15999 and several others that do not have a CVE designation. Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 4 defense-in-depth, 3 rejected, 20 not applicable. Implementation notes: Windows binaries should all be properly code-signed again. The uninstaller issue might only appear if you have not used the internal updater to update the browser after installation. The DOM Filesystem and dir picker APIs are, in practice, not used on websites. We've disabled these web-exposed APIs because they are not entirely without potential risk, and intend to remove them in a future version unless there is a demonstrable need to keep them as optional (unsupported) APIs in the platform. One of the rejected security patches deals with entering a single word in the address bar. Standard browser behavior in that situation is for browsers to do a normal network lookup of that word in case it is a LAN machine name (other browsers also do this) which may "leak" your entered search term to the LAN. If you want to avoid this, please always use the search box for entering web searches, as it's unambiguous what to do with single words in that case. v28.15.0 (2020-10-27) This is a standard development and bugfix release. Changes/fixes: Implemented support for CSS `caret-color`. Implemented support for un-prefixed `::selection` CSS pseudo-element styling. Fixed another potential crashing scenario in `ResizeObservers`. Fixed several crashes in the DOM `Fetch` API. Fixed a crash in table pagination. Security issues fixed: CVE-2020-15680 (VG-VD-20-115) and several memory safety hazards. Unified XUL Platform Mozilla Security Patch Summary: 1 fixed, 2 defense-in-depth, 12 not applicable. v28.14.2 (2020-10-02) This update fixes a few important issues. Changes/fixes: Fixed some additional crashes caused by the ResizeObserver API. This should take care of all crashes that have been attributed to this new code. Fixed erroneous parsing of CSS percentages as number values. v28.14.1 (2020-09-30) This update addresses an intermittent crash in the newly-implemented ResizeObserver API (introduced in 28.14.0) occurring on a number of high-profile and often-used websites. v28.14.0 (2020-09-29) This is a development and security update. Updated the browser identity code for website security to more clearly indicate website status. A detailed explanation is available on the forum and beyond the scope of these release notes. Updated unofficial branding to be more generic and more clearly separate unofficial builds from Pale Moon as a product. Please note that this goes hand in hand with an update of our redistribution license, and from this point forward any "New Moon" products are to be considered separate, and not unofficial Pale Moon builds or in any way related to or affiliated with Pale Moon, despite the similarity in name. Added a preference (`signon.startup.prompt`) to give users the option to ask for the Master Password the moment the application starts (before the main window opens). This allows a workaround for getting multiple Master Password prompts if individual components need access to the password store at the same time. Changed the way download sources are displayed to always use the actual domain downloads are from. In some situations the browser would previously display the domain of the referring page in an inconsistent fashion. Implemented the ES2019 `Object.fromEntries()` utility function. Implemented the CSS `flow-root` keyword. (Re-)implemented percentage-based CSS `opacity` values according to the updated spec. Implemented the last few missing bits for a standards-compliant implementation of JavaScript modules.(preloading, resource: scheme, etc.) Implemented the `ResizeObserver` DOM API. Fixed a null crash on some websites using CSS clip paths. Updated script handling inside SVGs to only run scripts if they are enabled and permitted, avoiding a potential XSS pitfall. Fixed several memory safety hazards and crashes. Updated the `MediaQueryList` interface to the updated spec. It now inherits from `EventTarget` and implements `AddEventListener`/`RemoveEventListener` in addition to `AddListener`/`RemoveListener` and should improve web compatibility for some sites. Removed support for the archaic and non-standard `<marquee>` element. Removed some leftovers from the discontinued plugin update checker service. Removed some internal HPKP implementation leftovers. Cleaned up the Windows widget code to reduce potentially vulnerable direct-dll loads. Security issues fixed: CVE-2020-15676 and CVE-2020-15677 Unified XUL Platform Mozilla Security Patch Summary: 2 fixed, 1 defense-in-depth, 7 not applicable. Release notes for older versions than those listed here You can find the release notes for previous releases of Pale Moon on the Archived Release Notes page.
Site and contents © 2009-2020 Moonchild Productions - All rights reserved Pale Moon is subject to the following licensing. Policies: Cookies - User Content - Privacy.

Pale Moon: Release notes

General note:
DiD This means that a fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

v28.17.0 (2020-12-18)

This is a development, bugfix and security update.

Changes/fixes:

Changed the way dates and times are formatted in the UI to properly adhere to the user's regional settings in the O.S.
Re-enabled the DOM Filesystem API for web compatibility.
Moved the global user-agent override to the networking component. See implementation notes.
Worked around crashes and run-time issues with module scripts. See implementation notes.
Fixed a website layout issue with table-styled elements potentially overlapping when placed inside a flexbox.
Fixed some code logic issues with websockets.
Fixed a regression when waking the computer from standby causing high CPU usage in some uncommon situations.
Updated the list of prohibited ports the browser can use. See implementation notes.
Updated root certificates.
Windows: Changed the way downloaded files without an extension are handled. See implementation notes.
Mac-beta: Improved version detection of MacOS including Big Sur.
Security issues addressed: CVE-2020-26978 and CVE-2020-35112.
Unified XUL Platform Mozilla Security Patch Summary: 2 fixed, 1 deferred to the next release, 16 not applicable.

Implementation notes:

The global user-agent override was moved to the networking component where it is actually implemented. The new preference name is network.http.useragent.global_override. Please note that using a blanket override is normally (very) counterproductive and does not, in fact, help much with privacy. It would also override the compatibility modes (Native/Gecko/Firefox) in Pale Moon. As such, the browser will now warn you if the user-agent is globally overridden (in preferences) and allow you to easily reset that override and re-enable the various compatibility modes.
Module scripting caused some persistent and very hard to track browser crashes that we've narrowed down to a specific optimization in the JavaScript JIT (Just-In-Time) compiler (IonMonkey). This optimization is now disabled by default but if you need that little extra performance (usually only noticed in very optimized code or some benchmarks) then you can re-enable it, trading in stability, by setting the new preference javascript.options.ion.inlining to true.
Prohibited ports: Pale Moon maintains a blacklist of ports the browser may normally not connect to on servers, to mitigate abusive web scripting employing your browser as an attack bot on servers (e.g. by connecting to mail servers or what not), NAT slipstreaming, and similar security issues. To more thoroughly prevent known abusable ports on servers, this list was extended with a number of additional default ports for various non-http protocols.
Downloaded files without a file extension: When a file without an extension is downloaded, we will now open the download folder where you may choose to take any specific action manually, instead of trying to execute it as a program or through an associated program.

v28.16.0 (2020-11-24)

This is a development and security update to the browser.

Note for Linux users: With CentOS 6 going end-of-life, this version will be the last for which we will be building 32-bit Linux official binaries to download. While your distribution may choose to continue offering 32-bit versions of the browser, built from source by the maintainers, we won't be offering any further official 32-bit Linux binaries on our website. Please check with your distribution's package maintainers to know if further 32-bit support will be available on your particular flavor of Linux.

Changes/fixes:

Aligned CSS tab-size with the specification and un-prefixed it.
Updated Brotli library to 1.0.9.
Updated JAR lib code.
Optimized UI code, resulting in smaller downloads and less space consumed on disk.
Changed the default Firefox Compatibility version number to 68.0 (since versions ending in .9 makes some frameworks unhappy, refusing access to users)
Cleaned up HPKP leftovers.
Disabled the DOM filesystem API by default.
Removed Phone Vibrator API.
Fixed an issue where the software uninstaller would not remove the program files it should.
Fixed a devtools crash related to timeline snapshots.
Fixed an issue in Skia that could cause unsafe memory access. DiD
Fixed several data race conditions. DiD
Fixed an XSS vulnerability where scripts could be executed when pasting data into on-line editors.
Linux: Fixed an overflow issue in freetype.
Security issues addressed: CVE-2020-26960, CVE-2020-26951, CVE-2020-26956, CVE-2020-15999 and several others that do not have a CVE designation.
Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 4 defense-in-depth, 3 rejected, 20 not applicable.

Implementation notes:

Windows binaries should all be properly code-signed again.
The uninstaller issue might only appear if you have not used the internal updater to update the browser after installation.
The DOM Filesystem and dir picker APIs are, in practice, not used on websites. We've disabled these web-exposed APIs because they are not entirely without potential risk, and intend to remove them in a future version unless there is a demonstrable need to keep them as optional (unsupported) APIs in the platform.
One of the rejected security patches deals with entering a single word in the address bar. Standard browser behavior in that situation is for browsers to do a normal network lookup of that word in case it is a LAN machine name (other browsers also do this) which may "leak" your entered search term to the LAN. If you want to avoid this, please always use the search box for entering web searches, as it's unambiguous what to do with single words in that case.

v28.15.0 (2020-10-27)

This is a standard development and bugfix release.

Changes/fixes:

Implemented support for CSS caret-color.
Implemented support for un-prefixed ::selection CSS pseudo-element styling.
Fixed another potential crashing scenario in ResizeObservers.
Fixed several crashes in the DOM Fetch API.
Fixed a crash in table pagination.
Security issues fixed: CVE-2020-15680 (VG-VD-20-115) and several memory safety hazards.
Unified XUL Platform Mozilla Security Patch Summary: 1 fixed, 2 defense-in-depth, 12 not applicable.

v28.14.2 (2020-10-02)

This update fixes a few important issues.

Changes/fixes:

Fixed some additional crashes caused by the ResizeObserver API. This should take care of all crashes that have been attributed to this new code.
Fixed erroneous parsing of CSS percentages as number values.

v28.14.1 (2020-09-30)

This update addresses an intermittent crash in the newly-implemented ResizeObserver API (introduced in 28.14.0) occurring on a number of high-profile and often-used websites.

v28.14.0 (2020-09-29)

This is a development and security update.

Updated the browser identity code for website security to more clearly indicate website status.
A detailed explanation is available on the forum and beyond the scope of these release notes.
Updated unofficial branding to be more generic and more clearly separate unofficial builds from Pale Moon as a product.
Please note that this goes hand in hand with an update of our redistribution license, and from this point forward any "New Moon" products are to be considered separate, and not unofficial Pale Moon builds or in any way related to or affiliated with Pale Moon, despite the similarity in name.
Added a preference (signon.startup.prompt) to give users the option to ask for the Master Password the moment the application starts (before the main window opens). This allows a workaround for getting multiple Master Password prompts if individual components need access to the password store at the same time.
Changed the way download sources are displayed to always use the actual domain downloads are from. In some situations the browser would previously display the domain of the referring page in an inconsistent fashion.
Implemented the ES2019 Object.fromEntries() utility function.
Implemented the CSS flow-root keyword.
(Re-)implemented percentage-based CSS opacity values according to the updated spec.
Implemented the last few missing bits for a standards-compliant implementation of JavaScript modules.(preloading, resource: scheme, etc.)
Implemented the ResizeObserver DOM API.
Fixed a null crash on some websites using CSS clip paths.
Updated script handling inside SVGs to only run scripts if they are enabled and permitted, avoiding a potential XSS pitfall.
Fixed several memory safety hazards and crashes.
Updated the MediaQueryList interface to the updated spec. It now inherits from EventTarget and implements AddEventListener/RemoveEventListener in addition to AddListener/RemoveListener and should improve web compatibility for some sites.
Removed support for the archaic and non-standard <marquee> element.
Removed some leftovers from the discontinued plugin update checker service.
Removed some internal HPKP implementation leftovers.
Cleaned up the Windows widget code to reduce potentially vulnerable direct-dll loads.
Security issues fixed: CVE-2020-15676 and CVE-2020-15677
Unified XUL Platform Mozilla Security Patch Summary: 2 fixed, 1 defense-in-depth, 7 not applicable.

Release notes for older versions than those listed here

You can find the release notes for previous releases of Pale Moon on the Archived Release Notes page.