Recent Releases
27.9.418 Jul 2018 03:15
minor feature:
This is a security and usability update.
Changes/:. Updated the useragent for addons.mozilla.org to work around.
Their "Only with Firefox" discrimination preventing users from
Downloading themes, old versions of extensions, and other files with
Pale Moon.. Restricted web access to the. moz-icon://
Scheme that could potentially be abused to infringe the user's privacy.. Prevented various location-based threats. DiD. a potential vulnerability with plugins being
Redirected to different origins (CVE-2018-12364).. Improved the security check for launching executable files on Windows from the browser. For users who have (most
Likely accidentally) granted a system-wide waiver for opening these
Kinds of files without being prompted, this permission has been reset.. an with invalid qcms transforms
CVE-2018-12366).. a buffer overflow using the computed size of canvas.
Elements (CVE-2018-12359).. a use-after-free when using focus() (CVE-2018-12360).. Added some sanity checks on nsMozIconURI. DiD. an in the case the preferences file in the
Profile would not be writable (e.g. temporary permission due to
Backup, virus scanning or similar external processes).
DiD This means that.
The is "Defense-in-Depth": It is a that does not apply to a
potentially) actively exploitable vulnerability in Pale Moon, but.
Prevents future vulnerabilities caused by the same code, e.g. when
Surrounding code changes, exposing the problem, or when new attack
Vectors are discovered.
27.9.313 Jun 2018 03:15
minor feature:
This is a security update.
Changes/:. (CVE-2017-0381) Ported a patch from libopus upstream. Note.
Contrary to that report, the libopus maintainers state they don't
Believe remote code execution was possible, so this was not a critical
Patch.. an with task counting in JS GC.. a use-after-free in
DOMProxyHandler::EnsureExpandoObject.. Portable only: Included the previously omitted registry
Helper. This may in some cases help with file/type associations.
27.9.219 May 2018 08:05
minor feature:
This is a security and stability update.
Changes/:. We changed the language strings for softblocked items so.
People will cry less when we do our job.. (CVE-2018-5174) Prevent potential SmartScreen bypass on
Windows 10.. (CVE-2018-5173) an in the Downloads panel
Improperly rendering some Unicode characters, allowing for the file
Name to be spoofed. This could be used to obscure the file extension of
Potentially executable files from user view in the panel.. (CVE-2018-5177) a vulnerability in the XSLT component
Leading to a buffer overflow and crash if it occurs.. (CVE-2018-5159) an integer overflow vulnerability in
The Skia library resulting in possible out-of-bounds writes.. (CVE-2018-5154) a use-after-free vulnerability while
Enumerating attributes during SVG animations with clip paths.. (CVE-2018-5178) a buffer overflow during UTF8 to
Unicode string conversion within JavaScript with extremely large
Amounts of data. This vulnerability requires the use of a malicious or
Vulnerable extension in order to occur.
several stability (crashes) and memory safety.
Hazards.
27.9.108 May 2018 03:15
minor feature:
This is a maintenance release.
Changes/:. Removed the unused/incomplete places protocol handler.. Worked around an with MSE media without a Track ID.
This should help with the playability of some live streams.
Ported across jemalloc improvements from UXP.. Ported across cairo mutex improvements from UXP.. Added support for FFmpeg 4.0/libavcodec 58.. Added a for Windows 10's "isAlpha()" not being what one.
would expect in v1803.
27.9.018 Apr 2018 03:15
minor feature:
This is the last major development update for the v27 milestone
codenamed "Tycho").
After this, we will be focusing our efforts for new features entirely
on UXP and the new v28 milestone building on it. We will continue to
Support v27.9 with security and stability updates for a while, but no
Major new features will be added from this point forward.
Changes/:. a number of spec compliance in our media.
Subsystem.. Added a trailing slash to referrers when policy is set to
Some web compatibility.. the property order in
Object.getOwnPropertyNames(string) and others for web compatibility.. Updated RegExp(RegExp object, flags) to the ES6 standard
Specification.. Changed the embedded font from the no longer free EmojiOne
to the open-licensed Twemoji (with additional ). This also further
Extends unicode support to Unicode 10 emoji(s). Please note that as a
Result, color emoji(s) will look different than before.
Adjusted some things in our memory allocator code to.
Provide, among other things, better allocation alignment on Windows.
Made the attempt to migrate people from the old sync server.
Domain name to the current one more aggressive. We will be retiring the
Old pmsync.palemoon.net Sync server address shortly to remove the need
For us to maintain a security certificate for it; this preference
Migration should automatically put everyone on the correct server
Address (pmsync.palemoon.org) when upgrading.
Made reading of the sessionstore synchronous, to speed up.
Startup and prevent the homepage from being loaded when restoring a
Session.
Added a to switch to the correct window/tab when a web.
Notification is clicked.
Changed the placeholder text to not include "Search" when.
All search functions from the address bar are disabled.
Enabled the use of Skia for canvas on Linux and OSX.
Worked around a potential cause for some non-standard.
Bitmapped fonts ending up with incorrect line heights (I'm looking at
You, Noto fonts!).
Added a workaround for incorrectly-encoded JPEG-XR
27.8.329 Mar 2018 03:15
minor feature:
This is a small update to address a pervasive crashing.
Changes/:. Backed out some responsive layout code that caused.
Intermittent but not uncommon crashes in the browser depending on
Window sizes and page content.
27.8.223 Mar 2018 03:15
minor feature:
This is a security update.
Changes/:. Privacy : prevented update checks for the default theme.. Added a user-agent override for Dropbox to improve
Compatibility with their service.. an with mouseover handling related to
CVE-2018-5103). DiD. Disabled the Mac OSX Nano allocator. DiD. (CVE-2018-5129) OOB Write.. Updated the lz4 library to 1.8.0 to solve potential.
DiD. (CVE-2018-5137) Path traversal on chrome:// URLs.
several memory safety an synchronicity hazards.
DiD This means that.
The is "Defense-in-Depth": It is a that does not apply to a
potentially) actively exploitable vulnerability in Pale Moon, but.
Prevents future vulnerabilities caused by the same code, e.g. when
Surrounding code changes, exposing the problem, or when new attack
Vectors are discovered.
27.8.107 Mar 2018 09:25
minor feature:
This is a small update to address some breaking.
Changes/:. Backed out the NSPR/NSS update from 27.8.0 for causing.
crashes, general operational instability and handshake.. Disabled TLS 1.3 draft support by default, because with the
NSS backout we only support an older draft right now that is no longer
current and may cause connectivity. You can manually re-enable
it at your own risk in. about:config by setting. security.tls.version.max
to. 4.
27.8.003 Mar 2018 03:15
minor feature:
This is a development update with new and improved features and
Changes/:. Added support for emojis on Windows systems that have.
Relatively poor support for them with standard font sets by including
Our own font (EmojiOne based for now).. Added a setting in preferences to select the use of tab
Previews with Ctrl+Tab.. Added Eyedropper menu entry to the AppMenu.. Added a preference to control whether the text cursor
caret) should be thicker when dealing with CJK characters or not.
default = yes).. Added URL -ups for schemes (mis-typed "ttp://" etc.).. Added support for ES6 "Symbol species".. Updated our TLS 1.3 support to the latest (probably final).
Draft.. gap inconsistency in the tabstrip.. a number of browser crashes.. a crash with the exponentiation operator ". ". Set the performance timer granularity to 1 ms.. Updated the kiss-fft library to our forked 1.4.0 version.. Disabled a potentially problematic optimization on Win 8+
With high contrast themes in use.. Removed the notification bar when in full screen to prevent
Unwanted visible screen elements.. Removed unmaintained and insecure WebRTC code - building
With WebRTC enabled is no longer an option.. Removed redundant checks for "Vista or later" since that is
All we support.. Added display of the http status to raw request displays.. Added a workaround for cloned videos not retaining their
Muted state.. Added a temporary workaround to avoid crashes on trackless
Media.. Removed some superfluous ellipses from menu labels.. undesired shrinking of line heights as a result of
Setting minimum font size in preferences.. some with setting the new tab preference
regression).
27.7.202 Feb 2018 22:05
minor feature:
This is a security and stability update.
Changes/:. Changed the. X-Content-Type-Options: nosniff.
Behavior to only check "success" class server responses, for web
Compatibility reasons.. Changed the performance timer resolution once more to a
Granularity of 1 ms, after evaluating more potential ways of abusing
Spectre.
This takes the most cautious approach possible lacking more information
because apparently NDAs have been signed over this between mainstream.
Players), follows Safari's lead, and should make it not just infeasible
But downright impossible to use these timers for nefarious purposes in
This context.
Improved the de-only startup cache wrapper to prevent a.
Rare crash.
a crash in the XML parser.. Added a check for integer overflow in. AesTask::DoCrypto().
CVE-2018-5122) DiD. a potential race condition in the browser cache.. a crash in HTML media elements (CVE-2018-5102). a crash in XHR using workers.. a crash with some uncommon FTP operations.. a potential race condition in the JAR library.
DiD This means that.
The is "Defense-in-Depth": It is a that does not apply to a
potentially) actively exploitable vulnerability in Pale Moon, but.
Prevents future vulnerabilities caused by the same code, e.g. when
Surrounding code changes, exposing the problem, or when new attack
Vectors are discovered.
27.7.120 Jan 2018 15:05
minor feature:
This is a minor emergency update to address website breakage and a
Theme.
Changes/:. Added support for Array.prototype @@unscopables .
Unfortunately, the addition of Javascript's ES6 Unscopables in 27.7.0
Was incomplete, which caused a number of websites (e.g. Chase on-line
Banking, some Russian government sites) to display blank or not
Complete loading after updating to that version of the browser. This
Update should the problem by adding the missing part of the feature.. an with the default theme causing tab borders
to be drawn too thick at higher settings for visual element scaling
125 /150 ) in Windows.
27.7.016 Jan 2018 10:05
minor feature:
This is a stability and release, as well as adding a number of
New features to further improve web compatibility.
Changes/:. Reorganized access to preferences (moved to the Tools menu.
on Linux, and renamed from "Options" to "Preferences" on Windows).. Renamed "Restart with add-ons disabled" to "Restart in Safe
Mode" to better reflect what it does.. Worked around an with some improperly-encoded PNG
Files not decoding after our libpng update.. an on Mac builds not properly populating the
Application menu.. Added "My home page" as an option for new tabs.. Added an option to disable the 4th and 5th mouse buttons
Windows).
mouse.button4.enabled and. mouse.button5.enabled.
Respectively). Improved the resetting of non-default profiles.. an with details/summary having the incorrect
Height if floated, breaking layouts.. Made several more improvements to the details/summary tags
to align them with the current spec and some additional.
Implemented support for flex/columnset contents inside.
Buttons to align its behavior with other browsers.
this should layout with Twitch's new web interface). an where CSS clone operations would draw a.
Border.. Changed the way fractional border widths are rounded to
Provide more natural behavior.. an where number inputs would incorrectly be
Flagged as read-only.. Added assets for tile display in the Windows start panel.. Finished sync infra swapover by adding a one-time pref
Migration for server used.. Improved WebAudio API: Return the connected audio node from. AudioNode.connect(). Added support for a default playback start position in
Media elements.. an assert in cubeb-alsa code (Linux).. Added support for media cue-change events (e.g. subtitles).. Updated SQLite to 3.21.0.. a crash when trying to use the platform embedded.. devtools (gcli) screenshots on vertical-text pages.. devtools copy as cURL for POST requests.. Improved the HTML editor component (several ).. Added support for ES7's exponentiation. a b
Operator.. an with arrow func
27.6.229 Nov 2017 08:25
minor feature:
This is a security and minor update to the browser.
This will most likely be the last update for 2017, with the holidays
Not far away.
Changes/:. Implemented the concept of so-called "cookie-averse.
Document objects" which is a security amp;privacy measure that blocks
Certain web content from setting cookies. This mitigates
Cookie-injection, which might help against "hidden" cookie tracking.
Mitigated some domain name spoofing through IDN by using.
Dotless-i and dotless-j with accents. (CVE-2017-7832).
Pale Moon will display these kinds of spoofed domains in punycode now
in the actual address bar.
Please note that the identity panel will always be able to help you on
Secure sites when IDNs are in use to notice potential spoofing, as
Opposed to relying on detection algorithms in the URL itself. As such,
Some other like CVE-2017-7833 are already mitigated by us.
an with mixed-content blocking. (CVE-2017-7835). Added an extra check for the correct signature data type on.
Certificates.. Added missing sanitization in exporting bookmarks to HTML.
CVE-2017-7840). several crashes and memory safety hazards.
27.6.116 Nov 2017 16:25
minor feature:
This is a minor release to address some pressing people
Have reported.
Changes/:. a regression with new windows (opening two windows.
From the command-line or file association, focus on new windows,
Not loading the home page in a new window, etc.).
Aligned XHR with the currect spec to allow. withCredentials.. an input element focus within handlers.. the processing of all-padding HTTP/2 frames to.
Prevent rare HTTP/2 hangups.
Updated CitiBank override to work around their login.. Updated Netflix override to a community-supplied one that.
Seems to satisfy their arbitrary restrictions better.
27.6.008 Nov 2017 06:45
minor feature:
This is a major development update.
Changes/:. Dropped support for Direct2D 1.0 to avoid font rendering.
Windows installations not capable of using Direct2D 1.1 will.
Now fall back to software rendering. As a result, fonts may look
Different from this version onwards if you are on Windows Vista or
Windows 7. Users on Windows 7 affected by this should install the Platform Update to re-enable Direct2D.. Updated the Brotli decoder library, and enabled support for
Brotli HTTP content-encoding by default.. Added notifications to inform users about WebExtensions not
Being supported if they try to install them (as opposed to "extension
is corrupt"). Added a number of DOM childNode convenience functions. This
Should some lazy-loading frameworks.
enjoy your LOLcats again!). Changed automatic updates over to the new infrastructure.. Added extra proxy settings in Options, covering DNS lookups.
Through SOCKS v5 and automatic proxy authentication with known
Credentials.. Added a selectable fallback character encoding of UTF-8 and
Fallback to UTF-8 as a last effort.. Improved timing of. canplay and. canplaythrough
Firing to work around a potential race condition locking up queued
Video playback.. Improved upmixing of mono sound for multi-channel setups.. a parallelization with the KISS-FFT library
Causing
CPU-deadlocked threads. "Remove from history" function from the downloads
Panel.. Forced focus on the address bar in new windows if the
Content is a blank/empty document.. the dropmarker in the address bar to allow the
Suggestions to be with a click.. Further cleaned up the status bar code.. Disabled window.showModalDialog; it's been removed from the
Spec 2 years ago and has potential abuse (modal dialogs block
The UI). image decoder calls to make sure the image load event
Doesn't fire prematurely.. Updated LibPNG to 1.6.28, and enabled faster SSE2 decoding.. Updated WOFF2 code from upstream.. Updated the zlib compression library.. Made general improvements to internal code s
27.5.111 Oct 2017 03:45
minor feature:
This is a security and stability update to the browser, as well as
Ing some users have indicated.
Changes/:. Changed the default Windows 10 styling when no accent color.
is applied to black-on-white.. Changed the theme styling on Windows 10 when the system
Window frame is used (menu bar enabled) to use the window manager
Background directly, preventing visual lag updating the window color
When it changes.. Updated user agent overrides for DropBox, YouTube and
Yahoo to work around user agent sniffing.. a crash in the media subsystem.
a regression where video playback hardware.
Acceleration was disabled incorrectly on some systems.
Security :. Updated the hyphenation library to the latest upstream code.
to a
Security.. Updated NSPR to 4.16-RTM with a patch to un-bust building
on win64.. Updated NSS to 3.32.1-RTM.. Worked around some more with Mac fonts
CVE-2017-7825).. a potential rooting hazard in NPAPI plugin code. DiD. a potential reference in JavaScript arrays. DiD.
DiD This means that.
The is "Defense-in-Depth": It is a that does not apply to a
potentially) actively exploitable vulnerability in Pale Moon, but.
Prevents future vulnerabilities caused by the same code when
Surrounding code changes, exposing the problem.
27.5.027 Sep 2017 21:05
minor feature:
This is a major update furthering general development of the browser.
Changes/:. User interface:
Added a menu option to restart the browser.. Added Windows-specific CSS parameters and queries for the.
Use of the system accent color. Added are parameters. -moz-win-accentcolor
And. -moz-win-accentcolortext, and the media query. -moz-win-accentcolor-applies
to know if Windows is actively using an accent color.
Changed Windows' browser CSS sheet ot use variables.
Instead
of hard-coding colors, simplifying its style and making it more
Flexible. Further cleaned up the Windows 10 specific browser style.
Changed the theme on Windows 10 to use the new accent.
Colors and improve O.S. consistency.. some general inconsistencies in the Windows theme
on all Windows operating systems.. Updated Windows widgets to be able to pick up Windows 10
Accent colors dynamically and have the browser 's look and feel respond
Accordingly, even with automatic color changes based on desktop
Wallpaper.. Removed the experimental FF4 prerelease
Status-in-addressbar feature because the already-crowded address bar
Needs a break. This should solve some extension interop, theme
And domain highlighting people have reported.. Cleaned up some dead code for the plugin updater that no
Longer exists.. a text direction in preferences.. an with disabled context menu entries after
Using Customize.... Reorganized and cleaned up the status preferences.
Media:
MSE Media updates (ongoing). We are focusing on improving.
MP4 handling.
Improved MP3 metadata parsing (e.g. incorrect duration.
With embedded album cover). a number
of searching in MP3 files. a few crashes.
an with automatically exporting bookmarks to.
HTML on shutdown.. a regression re: domains allowed to/blocked from
Installing add-ons.. several internal errors thrown in the front-end.. several minor in the devtools.. Added a to prevent the home page from being loaded (and
Subsequently overridden) when restoring a session.. Added an option to control add-o
27.4.2.129 Aug 2017 08:45
minor feature:
This is an out-of-band update for the portable version of the browser
only (Windows).
This a few in the portable shell regarding backups and
settings.
To update, please follow the recommended update procedure listed on the
Pale Moon Portable page.
27.4.223 Aug 2017 03:17
minor feature:
This is a small update to address some security and stability.
Changes/:. a number of crashes.. Enabled the opt-in deging feature to log SSL keys to a.
File in all builds.. Added a for TLS 1.3 handshakes causing a browser
Hangup.
Handshakes should be considerably faster now and no longer
Stall in the wrong circumstances.
Security :. Updated NSPR to 4.15.. Updated NSS to 3.31.1.. a DoS using overly long Username in URL scheme.
CVE-2017-7783). an where (cross domain) iframes could break.
Scope (CVE-2017-7787). an in WindowsDllDetourPatcher (CVE-2017-7804). an with elliptic curve addition in mixed
Jacobian-affine coordinates (CVE-2017-7781). a UAF in nsImageLoadingContent (CVE-2017-7784). a UAF in WebSockets (CVE-2017-7800). a heap-UAF in RelocateARIAOwnedIfNeeded
CVE-2017-7809) DiD.
accessibility is disabled).
DiD This means that.
The is "Defense-in-Depth": It is a that does not apply to a
potentially) actively exploitable vulnerability in Pale Moon, but.
Prevents future vulnerabilities caused by the same code when
Surrounding code changes, exposing the problem.
27.4.104 Aug 2017 15:45
minor feature:
This is a small update to address some media and web compatibility
Changes/:. an where media playback would not use hardware.
acceleration properly when using MSE.
This would cause high CPU usage and/or choppy playback for HD video on
e.g. YouTube.. ES6 iterator chains to be spec-compliant.. ES6 vector append calls and some related memory leaks.
Added a workaround to reduce the likelihood of a potential.
rare (timing-critical) crash.
27.4.013 Jul 2017 03:17
minor feature:
This is a major update to straighten out most of the media streaming
as well as adding the necessary enhancements, and.
Security to the browser.
Changes/:. Completely re-worked the Media Source Extensions code to.
Make it spec compliant, and asynchronous as per specification for MSE
With MP4. This should playback problems on YouTube, Twitch, Vimeo
And other sites that previously had some. A massive thank you to
Travis for his tireless work on making this happen!.
Please note that MSE+WebM is not using this new
Code yet (planned for the next release), and as such there is a
Temporary set of things to keep in mind if you don't use default
Settings: If you have previously enabled MSE+WebM, this setting
Will be reset when you update to avoid conflicting settings with the
Updated MSE code.. We've added an extra setting in Options to disable the
Updated MSE code (asynchronous use) in case you need to use WebM or are
Otherwise having with the updated code (please let us know in
That case).. Once again, the MSE+WebM and Asynchronous MSE use are
Currently mutually exclusive. You can have one or the other, not both,
Until we sort out the code for WebM. To enable MSE+WebM you will first
Have to disable Asynchronouse MSE in settings (otherwise the WebM
Setting will be greyed out and disabled).
Added a control in options/preferences for HSTS and HPKP.
Usage.. Changed HTML bookmark exports to write CRLF line
Endings to the file on Windows.. Leveraged multi-core rendering for libVPX (VP8/VP9 WebM
Decoding).. some accessing DeviantArt (useragent-sniffing).. Aligned CSS. text-align with the spec.. Added a recovery module for browser initialization (e.g. when using a wrong language pack).. spurious console errors for XHR requests with certain
Http response codes.. Enabled v-sync aligned refresh for a smoother scrolling
Experience.. Removed support for CSS XP-theme media queries.. Improved console error reporting.. resetting toolbars and controls from the safe mode
Dialog.. bookmark
27.3.029 Apr 2017 03:15
minor feature:
A major development update. Many things have changed in the media
Back-end, but please understand that some things are still a work in
Progress, and you may still encounter some html5 video playback with MSE.
Changes/:. up, checked and enabled vertical text writing modes!.
Pale Moon will now be able to display vertical, right-to-left script.
Added the option to reset non-default profiles.. various in the WebP image decoder.. Added internally-supported document types to allowed. lt;embed gt;.
Types.
locale selection in ICU after update to ICU58.
Note: Pale.
Moon uses the system locale for date formatting, not the browser locale). Re-implemented the previous spellchecker dictionary logic
allow user override of document/element language, improve logic and.
Make it unambiguous).. Ongoing for the MP4 parser and MSE.. Made HTML Media Elements' preload attribute MSE-spec
Compliant.
The preload attribute on HTML media elements is now ignored in the case
of an MSE source. This prevents an with sourceopen not firing
When preload="none".. some with Windows WMF media playback.. an with Synced preferences sometimes
Overwriting stored individual preferences.. display of RSS folder icons.. with custom context menus.. an importing bookmarks with separators losing
Their extra data.. Changed the way numeric addresses are handled in the
Address bar so it doesn't perform a search when it shouldn't.. Added an option ( browser.sessionstore.cache_behavior )
to
Control from which source restored tabs pull their page content:
0 = load restored tab data from cache (current behavior, default).
1 = refresh restored tab data from the network.
2 = refresh stored tab data from the network and bypass any cached data.. Improved upon a v27 performance regression with SVG scaling.. Improved performance by being more selective which CSS
Animations to process.
As a side-effect, elements changing their display from "none" to
Something visible now also animate.
Increased memory allocation for the use of
27.2.125 Mar 2017 07:05
minor feature:
This is a small update to some stability and usability.
Changes/:. an with planar alpha handling (transparency).
When drawing JXR images.. a crash related to a change JavaScript array handling
Introduced in 27.2.0.
This became apparent with the pentadactyl extension, but could happen
in other situations as well.. a crash when opening ridiculously large images with
HQ scaling enabled (default).
Pale Moon will now only apply HQ scaling for images within reasonable
Limits (64 Mpix or smaller). Images larger than that may not display
Properly when zooming in, or may not display at all, even scaled down
e.g. gt;256 Mpix large) and show a "broken image" placeholder.
Instead; please use dedicated image viewer applications for those kinds
of images; it is outside the scope of a web browser to handle such
Large images.. Changed the way URL hashes are handled, and will no longer
decode anchor hash identifiers by default.
Note that this is against RFC 3986, which states that any part of the
URL scheme that isn't data should be decoded.
This is required for web compatibility because several sites use hash
Links to pass actual data to web applications (Please don't do this!
Hashes ar part of the URL address, should only consist of "safe"
Characters, and aren't suited to pass arbitrary data) and the most
Common browsers no longer follow the RFC in that respect.
If you want RFC compliance, switch.. dom.url.getters_decode_hash
to.. true. Restored 2 RSA Camellia cipher suites that were missing:
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA and TLS_RSA_WITH_CAMELLIA_256_CBC_SHA. an with custom toolbars getting deleted during
Upgrade from 27.0/27.1 to 27.2
27.2.019 Mar 2017 07:25
minor feature:
This is a major update to the browser with a focus on back-end improvements and security.
Changes/:. Updated the ICU lib to 58.2 to a number of.. Added proper control for the user for offline storage for web applications.. Added a check to prevent auto-filled URLs from copying the auto-filled selection to clipboard/primary.. Added the feature to pass a URL to open in a private window from the command-line.. Improved the display of the downloads indicator on the button in bright-text situations.
DOM storage now honors the "3rd party cookie" setting in.
that it will not allow 3rd party data to be stored if 3rd party cookies
are disallowed.. Allowed toolbar button badges to be properly styled.
Updated the hunspell spellchecking library to 1.6.0 to a number of.. desktop notifications being off-screen if fired in rapid succession.. Added Element.insertAdjacentElement and Element.insertAdjacentText DOM functions.. Added support for JPEG-XR images.
This makes Pale Moon have the broadest support for image formats of all web browsers.
Completely removed the use of GStreamer on Linux.
Added support for element.innerText.. Custom toolbars should now properly remember their state.. some more playback with MP4/MSE videos.
Please be aware that we are still working on further improving MSE video handling.
Changed media processing to reduce dangerous processing asynchronicity.
This should also make media elements and playback more responsive.. a useragent string regression always displaying the minor Goanna version as.0. Updated NSPR to 4.13.1.. Updated NSS to 3.28.3-RTM.. unrestricted icon sizes in PMkit buttons.. unresponsive buttons on support page when not building the updater.. the use of "View image" and "Save image as" on extremely large images.. Changed the way "View Image" and "Save image as" work on canvas elements.. Made checking for dangerously large resolution PNG images smarter.
It will now accept larger "strip"-aspect ratio images while reducing unsupported large ima
27.1.122 Feb 2017 14:05
minor feature:
This is a stability and update to the browser.
Changes/:. Implemented a in media handling to prevent crashes with
Concurrent videos and/or rapidly starting/stopping video playback in
The browser.. the way the Adobe Flash plugin is detected to prevent
Confusion with other plugins that identify themselves as "Flash" (e.g.
VLC).. Windows: Solved stability caused by the release build process, resulting in unexpected behavior (e.g. hangups).
27.1.010 Feb 2017 03:17
minor feature:
This
is a major update with lots of development and. It also
Introduces the so-called "PMkit" modules, our effort to restore
Compatibility with Jetpack/SDK extensions and making it possible for
Extension developers to convert their SDK extensions with little effort
to a Pale Moon compatible format. For more details please check the PMkit documentation on the developer wiki.... Changes/:. Reworked the media
Back-end completely to use FFmpeg (including support
For FFmpeg v3 and MP3 playback) and our own MP4 parser, and no longer
Relying on gstreamer on Linux, as well as adding some improvements on
Windows for media parsing and playing.. On
Linux, Apple.mov files of the correct type will also be played through
FFmpeg now, for those rare occasions where they are still in use,
Considering there is no Quicktime plug-in available on that operating
System.. Restored the classic about:config styling.. Added a fallback to US-ASCII if the autoconfig UTF-8 conversion fails.. Improved cross-compartment wrapper handling when managing a large number of tabs.. Changed
The way audio and video synchronization is calculated to account for
slow) device latency, preventing things from getting out of sync on e.g. BlueTooth-connected speakers.. Changed.
The way scripts are handled when they are stopped from the
unresponsive script" dialog, to prevent browser lockup. We will now.
Stop all scripts in the affected compartment in one go.. several errors in the devtools.. a nasty crash caused by cross-origin referrers.. the installer to allow 64-bit versions of the browser to be installed on Vista again.. Added HTML5-spec clipboard handling for content (cut amp;copy only -- paste is not allowed for security reasons).. Made multiple changes to the toolkit jetpack modules to cater to PMkit extensions.. This
Should make running SDK-based modules as PMkit extensions fairly simple
For extension developers. See the introductory text to these release
Notes.
a css layout : make max-width affect cont
27.0.317 Dec 2016 14:25
minor feature:
This is a and security update.
Changes/:. certain network errors not displaying.. network error page styling.. the writing of DOM storage data to tabs (should solve.
The "tabs not loading their contents" when migrating a profile
And some other situations).. Disabled downloadable font unicode-ranges on non-Windows platforms.. Added a Google Fonts user-agent override for non-Windows
Platforms so they don't send unicode-ranged composite fonts (Feature
Detection? Google apparently still doesn't know what that is).. Re-enabled the reporting of CSS errors to the console by
Default to prevent with some extensions who rely on this (e.g.
Stylish).. and updated preferences for location bar suggestions.. several x64-specific in memory allocation code (regression ).. timer when resuming a computer from stand-by (regression ).. a number of branding and textual in the browser.. prompting for the saving of off-line data (previously always allowed without prompting).. a layout regression that would cause block elements
Following left floats to not wrap to the next line if there wasn't
Enough clearance.. a mismatch in Firefox extension compatibility-mode
Installation where Firefox extensions served by addons.mozilla.org
Would be marked incompatible when trying to install.
Security-related and crash :. use-after-free while manipulating DOM events and removing audio elements (CVE-2016-9899).. CSP bypass using the marquee tag (CVE-2016-9895).. a vulnerability in the internal Jetpack modules (CVE-2016-9903). DiD. use-after-free in Editor while manipulating DOM subtrees (CVE-2016-9898).
an error in the buffer logic in http-chunked decoder.. a crash in generational GC code (not in use by default) DiD. a compartment mismatch in plug-in code. a crash trying to get a nonexistent property.. Improved MediaRecorder's observer safety.. a crash related to document history.
DiD This means that the is "Defense-in-Depth": It is a that does not.
Apply to an actively exploitable vulnerability in Pa
27.0.204 Dec 2016 00:05
minor feature:
This is a minor update to address usability and security :. Enabled Firefox Compatibility mode by default for the useragent string.. Unfortunately
Too many websites (and especially the big players who should know
Better like Google, Apple and Microsoft) still require the "we must pretend to
be Firefox if we want this site to work" status quo to be
Maintained, because people still insist on using useragent sniffing to
Determine "browser features", or even worse, discriminate against free
Choice of browser by flat-out refusing service (I'm looking at you,
Banking industry and cloud services!) when visiting websites just because companies don't
Want to provide assistance to any but users on the main 3.
HTML offers plenty of ways to do proper feature detection; site owners should use them.
Seriously people, it was a bad idea 20 years ago, and it's a worse idea in 2016.. The built-in devtools are back, and with a facelift!.
Thanks to some consistent community help, the built-in devtools, sorely
Missed by a number of our users, are back. They've received a code and
Style update and should be fully functional on the new platform. This
Was originally planned for 27.1, but it was decided to include this as
Soon as possible, not in the least to assist extension developers in
Their efforts to adapt to Pale Moon 27.. Security :
a crash in SVG, related to CVE-2016-9079, as a defense-in-depth measure.
27.0.129 Nov 2016 22:45
minor feature:
This is a release for some of the that popped up with the new milestone.
Changes/:. removal of distribution/bundles/ copies of status bar code and ruby annotations code.. This should clean up everything on install/upgrade that currently causes double code to create intermittent/odd behavior.. Backed out some media back-end changes to MSE playback on Twitch.tv and other similar sites.. Disabled pop-up network status in full screen by default (since video detection is rather iffy at the moment).. a regression causing the "reset profile" button to not appear in about:support on the default profile.
Worked around bad Netflix interface changes - it will now use a more compatible web UI.
Please note that these Netflix changes were unrelated to the actual release of Pale Moon (26.5 is also affected).
Aligned base status bar colors with default prefs.. status bar options not being remembered.. Added.
an override for Amazon Prime videos so they won't stop us at the front
door any longer when not using the Firefox Compatibility user agent
mode.
Re-applied proper branding text to in-app licensing.
26.5.029 Sep 2016 16:45
minor feature:
Changes:. Implemented a breaking CSP.
content security policy) spec change; when a page with CSP is loaded.
Over http, Pale Moon now interprets CSP directives to also include https
Versions of the hosts listed in CSP if a scheme (http/https) isn't
Explicitly listed. This breaks with CSP 1.0 which is more restrictive
And doesn't allow this cross-protocol access, but is in line with CSP 2
Where this is allowed.. an with the XML parser where
it would sometimes end up in an unknown state and throw an error (e.g.
When specific networking errors would occur).. Improved the performance of canvas poisoning by explicitly parallelizing it.
Security :. a potentially exploitable crash related to text writing direction. (CVE-2016-5280). Made.
Checking for invalid PNG files more strict. Pale Moon will now reject
More PNG files that have corrupted/invalid data that could otherwise
Lead to potential security.. Changed the way paletted image frames are allocated so the space is cleared before it's used. DiD. a crash in nsNodeUtils::CloneAndAdopt() due to a typo. DiD. several memory safety and crashes.
DiD This means that the is "Defense-in-Depth": It is a that does not.
Apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by
The same code when surrounding code changes, exposing the problem.
26.4.113 Sep 2016 03:16
minor feature:
This is a minor and security release.... Changes/:. a crash in the XSS filter.. Slightly changed the address bar shading on secure sites to be more subtle and easily-blended.. the occurrence of "null" titles in bookmarks dragged from special folders.. an error initializing the browser due to trying to restore scratchpad
Data from a stored session when having switched from a version with
Devtools to a version without devtools, and the previous version had
Scratchpad data saved.. some minor in scratchpad and gcli devtools.
Security :. Updated the HSTS preload list to a much more updated source list.
And performing our own checks on validity from now on to have the list
be as accurate as possible.. Disabled Triple-DES cipher suites by default (mitigating SWEET32).
Portable-only: Changed.
The behavior to, by default, allow it to start a new copy or multiple
Copies without checking if Pale Moon is already running on the system.
You will need separate profiles to run multiple browsers concurrently.
26.4.018 Aug 2016 19:25
minor feature:
Changes/:. Removed
Google Search as a bundled search provider. If desired, you can
Manually install it (or other search engines) after the update by
Following the steps in the Manage Search Engines topic... the URL API to allow "stringification" of the object
Per specification. This should make a number of websites happy.. Added the ES6 string.includes() function in addition to the pre-existing.contains() function for checking if a string contains another string. The.contains()
Function is retained for compatibility with web and extension scripts
That adhere to the ES6 pre-release specification up to and including
RC3.
the calculation of standalone SVG embeds width and height, which should.
Solve some reported with html5 graphs being displayed
Incorrectly.. Linux: improved memory allocation.. Updated the graphite font library to 1.3.9.. Added a blocking rule for F-Secure's 64-bit deepguard library to prevent crashes.. Updated the SQLite library to 3.13.0.. Download= properties of links are now honored from the context menu "Save" option.. a crash in the XSS filter.. a crash in the DOM error module.. Worked around a crash on Linux. Linux:
Improved optimization and GCC6 compatibility (Note: compiling with GCC
6 is still not recommended and it may or may not work, depending on
Your environment).
Security :. (CVE-2016-5251)Potential URL spoofing in the address bar.. (CVE-2016-0718) Context-dependent crash in expat 2.1.0.. (CVE-2016-5266) Outgoing dataTransfer items are not properly filtered.. potentially exploitable crash in the array splice implementation.. potentially exploitable crash caused by badly formatted ICO files.. (CVE-2016-5254) Heap-use-after-free in nsXULPopupManager::KeyDown.
26.3.302 Jul 2016 03:15
minor feature:
Another
Small update to address some breaking. Sorry for the
Rapid-fire releases, everyone; this is not our intention.
Changes/:. an additional found that could cause menu text on Windows 10 to be white-on-white (and therefore unreadable).. an with news feeds not showing up when embedded in web pages.
Removed recently-added parsing of the child-src.
Content security policy directive, after some web compatibility with it came to light, as well as it becoming clear that the CSP spec
Will see it removed in favor of the previous directive for embedded
Content. This should some intermittent people have reported
on e.g. the main google.com page and phpMyAdmin installations.
26.3.126 Jun 2016 03:15
minor feature:
Changes/:. an with new tab button theming on dark toolbars.. Reverted the useragent identification of Firefox
Compatibility mode to 38.9 to avoid WOFF2 font for sites that
Don't use proper font deployment as recommended by the W3C.. Added a site-specific override for Google fonts to make sure it always works even if not using Firefox compatibility mode.
workaround pending for a proper solution on Google's side). Adjusted the "dark color" detection routine to switch text to white at higher relative contrast levels.
This will more ly match Windows 10's "flip point" for different
Accent colors and is within the recommended range determined by the
WCAG.
26.3.022 Jun 2016 03:15
minor feature:
Changes/:. Added detection for dark system themes on Windows 10 and
re-worked Windows 10 specific theming to better integrate into the OS
And provide more clarity.. HTML5 media controls have been reworked to a horizontal volume control
on all media, including HTML5 audio that was previously without an
Element-control for volume.. Default HTML5 media volume preference added as media.default_volume -- fractional, default 1.0 (=100 ).. String.prototype.match() and.replace() are now fully spec compliant.. NSPR and NSS now correctly no longer enforce IA32 architecture
Compatibility, getting the advantage of SSE2 like the rest of the code.. Worked around crashes in the XSS filter when navigating back in history
Due to document fragments.. Instated a hard minimum of 10,000 places entries regardless of free disk
Space and total memory to prevent undesired expiration of history. That is around 16MB for an average entry size,
Which should be sane enough even on low-memory machines.. a typo in networking code introduced in 26.2.2 that
Would cause on some sites due to adding extra forward slashes to
The URL.
Security :. a number of memory safety hazards and potentially exploitable crashes.. CVE-2016-2821 Use-after-free in the mozilla::dom::Element class.
netaddr deserialization for AF_UNSPEC and AF_LOCAL.. a memory overrun error in the VP8 encoder. DiD. non-threadsafe re-use of pixman images to prevent potential race conditions. DiD. CVE-2016-2825 Partial Same Origin Policy violation.
DiD This means that the is "Defense-in-Depth": It is a that does not.
Apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by
The same code when surrounding code changes, exposing the problem.
26.2.110 Apr 2016 03:26
minor feature:
This is a small update to a problem with keyboard navigation of the user interface.
26.2.007 Apr 2016 00:45
minor feature:
This is a major update and release.... Changes:. Implemented the URL API that's needed for a number of websites.. Changed
Internal keystroke handling within the spec to better align with generally expected behavior.
This should the infamous "backspace" on Facebook.
Web developers please note: calling preventDefault() in a "keydown" event handler will now prevent most keypress events from firing.
Linux: gstreamer 1.0 support has been implemented and enabled by default (hats off to Travis!).
From this version forward you will need to have gstreamer 1.0 libraries for video playback (0.10 is no longer supported).
Re-styled about:sessionrestore to use more available screen real estate for tab info.. Added an option to use the mousewheel for horizontal scrolling (mouse action value 4).. (e.g. setting mousewheel.with_shift.action to 4 makes Shift+wheel scroll horizontally). Bumped max icon size for search engine icons to 32 KB to cater to more common use of HiDPI icons.. some hard-coded branding strings in Sync still reading "Firefox", and.
Similarly changed sync information URLs to point to our relevant pages.. Removed default profile bookmarks pointing to Firefox/Mozilla since the information there no longer applies to us.. Updated UA overrides and XSS configuration to deal with some problematic sites (e.g.: Google, Embedly). several with the default theme causing problems with behavior
Due to styling (and friends). some miscellaneous in the internal jemalloc implementation.. Added
a configure option to use the full jemalloc lib (jemalloc v3) if the.
Builder so wishes (used for Linux, sys mallocs are not happy there
Either, so for our generic binaries we switched to this lib now). Worked around a crash caused by the XSS filter on some fora by bailing on too short and empty strings.. layout of reflowed comboboxes without enough space.. a crash related to flexboxes overflowing themselves. (). Added a simple implementation for Weak Messagelisteners. (). a crash for
26.1.125 Feb 2016 03:15
minor feature:
This is a release to improve stability and extension compatibility.
Changes/:. a few oversights in the Firefox extension.
compatibility changes in 26.1.0 that should improve compatibility with
a number of Firefox extensions.. Changed memory handling to (hopefully) address the memory inflation some people have experienced with 26.1.0.. Updated YouTube compatibility, which should once again allow users to choose between Flash and HTML5 players on YouTube.
26.1.017 Feb 2016 03:15
minor feature:
This is a web compatibility, stability and release.
Changes/:. Disabled our ES6 Promise implementation introduced in 26.0.
Since there were some severe with its implementation that caused
a lot of inexplicable failures on websites. This means that some sites
That insist on using Promises without checking availability and that do
Not provide sufficient web client compatibility by way of server-side
Libraries or polyfills will currently not work as-intended. Apologies
For any inconvenience this may cause; providing a perfectly-working
Implementation will be our top priority going forward.. Improved website compatibility with many sites and web applications by making our cookie gate less strict.. web compatibility with Google Hangouts and Yahoo Calendar.
Changed the memory allocator on Windows platforms to a much.
More modern full-library implementation of jemalloc, with miscellaneous
Additional. This should give comparable speed to the system one
And will allocate free memory more dynamically. This should like "huge animated gif choking" and inexplicable pauses when using
Many tabs, scrolling (extremely) long pages, or viewing media.. a few rare crashing on Windows due to the build process.
Reduced so-called "jank" on inner frame scrolling reflows.. Extension compatibility: partial implementation of Firefox 26 download.
js modules as shims; this should make more Firefox extensions compatible with us out-of-the-box. (Thanks, Chaoskagami!).
Added a "superstop" key combination ( Shift+Esc ) that will stop all.
foreground and background) network activity, stop animated gifs, etc. even after the.
Page itself has fully loaded (and the stop button not being available) - some web
Applications may not like this if you use it since it will also cancel
XHR requests, etc.. Updated NTLM authentication, deprecating v1 and adding a proper v2 implementation (Thanks, Trava90!). Updated the default theme to tweak/improve it some more (Thanks, Antonius32!)
Security :. Updated the Graphi
26.0.204 Feb 2016 08:25
minor feature:
This is a, security and web compatibility release.
Changes/:. Removed the sanity check for unsupported point-of-sale XP-based operating systems by user request.
Please see the forum for information on which operating systems we can reasonably support.. Changed the way "transparent" is handled in Goanna to improve transparent gradients using this keyword.
Made sure that. dom.disable_beforeunload is predefined in about:config.. web compatibility with Youtube, Youtube Gaming, Yuku fora and Netflix.. web compatibility with Comcast/XFinity webmail and.
other sites or web applications that expect older JavaScript versions
as default.
Reinstated the about:config warning by default.. potential browser crashes.
Security :. Updated NSS to 3.19.4.1-PM to a potential UAF and CVE-2015-7575.. Crash : Prevented queueing multiple media sources that could lead to unsafe memory access.. Prevented unsafe memory manipulations in zip archives. (CVE-2016-1945) DiD. Prevented a potential buffer overflow in WebGL. (x64 only) (CVE-2016-1935) DiD. Updated the way binaries are code-signed. Not only does v26.0 use a new.
SHA256-signed digital certificate, but starting this version will also
be signed with both SHA1 and SHA256 digest algorithms to satisfy later Windows' code-signing requirements.
DiD This means that the is "Defense-in-Depth": It is a that does not
apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by
the same code when surrounding code changes, exposing the problem.
26.0.027 Jan 2016 03:15
minor feature:
This
is a new milestone release! It's been in the works for a good number of
Months, and has many hundreds of notable changes,, and
Improvements that can't possibly all be listed here.
These release notes for this version are a concise summary, lifting out
The most prominent and important changes. You may find slightly more detailed
Release notes on the forum.
General release notes:. Pale Moon is now building on.
The new Goanna engine instead of Gecko. Although relatives in
Terms of web technology, they are not the same under the hood and any
Reports of with the layout/rendering
Engine should be as detailed as possible to allow us to pinpoint the cause of the and them
just stating "it works in Firefox" really doesn't help us!). If you wish to report, please either use the tracker on GitHub or report a detailed description and steps to reproduce on the forum.
We've had to reduce the number of supported languages for.
Our language packs. With the need to move to our own full localization
And lacking translators to support and maintain less common languages
in use around the world, we've reduced our number of offered languages
to a little over 30. The languages still supported should more than cover
The common languages spoken around the globe. You will need to update
Your language packs!. Although we've given this release extensive testing, it is
Still possible you run into some website compatibility (usually
Because of websites doing useragent sniffing) and e.g. some sites
Displaying a mobile version if they do not recognize or incorrectly
Recognize the new browser engine. Please always try contacting the webmasters first
Before posting support requests at our address, since this is usually
Not something we can provide solutions for, ourselves, and we end up
Having to redirect you anyway.
changes:. The layout parser/renderer has received many updates with.
This change over to Goanna, improving web compatibility and standards
Compliance in many areas.
The brow
25.8.129 Nov 2015 03:15
minor feature:
A small update to address two important :. for a crash that could occur at random since the update to 25.8.0.. for CSP (Content Security Policy) to be more lenient
Towards the incorrect passing of full URLs with all sorts of parameters
in the CSP header, leading to misinterpretation of the header and incorrectly blocking the loading of content.
25.8.018 Nov 2015 03:15
minor feature:
This is a security, stability and usability update.
changes:. Updated LibVPX to 1.4.x to be able to play more kinds of VP9-encoded videos.. Updated the JPEG decoder library to 1.4.0.
and cleaned up XPCOM timer thread code to avoid intermittent with events not firing (especially after stand-by).. Updated overrides to work around with Facebook and Netflix.. an where too-old system-supplied NSPR and/or NSS libraries would be accepted for use.
Security :. Updated the libpng library to 1.5.24 to address critical security CVE-2015-7981 and CVE-2015-8126. Updated the NSPR library to 4.10.10 to address several security.. Updated the NSS library to 3.19.4 to address several security.. a memory safety hazard in SVG path code (CVE-2015-7199).. an with IP address parsing potentially allowing an attacker to bypass the Same Origin Policy (CVE-2015-7188).. an Add-on SDK (Jetpack) that would allow scripts to be executed despite being forbidden (CVE-2015-7187).. a crash due to a buffer underflow in libjar (CVE-2015-7194).. an for Android full screen that would potentially allow address spoofing (CVE-2015-7185).. Added size checks in canvas manipulations to avoid potential image encoding vulnerabilities like CVE-2015-7189. DiD. potential information disclosure vulnerabilities.
Through the NTLM authentication mechanism. Insecure NTLM v1 is now
Disabled by default, and the workstation name is set to WORKSTATION by
Default (configurable with a preference for environments where
Identification of workstations is done by actual reported machine
Name). This avoids like CVE-2015-4515.. a potentially vulnerable crash from a spinning event loop during resize painting. DiD. several Javascript-based memory safety hazards. DiD
DiD This means that the is "Defense-in-Depth": It is a that does not.
Apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by
The same code when surrounding code changes, exposing the problem.
25.7.315 Oct 2015 03:15
minor feature:
This
is a usability update needed due to the fact that Mozilla has shut down
Their key exchange (J-PAKE) server along with the old Sync servers. This
Was unexpected and required us to set up our own key server (testing
Indicates this works as-expected, but please do report any on
The forum) - which also required reconfiguration of the browser.
Please note that older versions of the browser will no longer be able
to link devices to a sync account using the 12-character code since it
Requires a Mozilla server no longer present. If you need this
Functionality, you must update to this version or later.
25.7.203 Oct 2015 03:15
minor feature:
This is a stability update, addressing 2 critical hangs:. a critical hang caused by recursive reloads that might happen in iframes if its hash changed.. a critical hang caused by lazy-loading of stylesheets
through a specific web programming technique as advocated by Google's
PageSpeed.
25.7.129 Sep 2015 03:15
minor feature:
This
is a security, stability and web-compatibility update. This also marks
a security update for the Android version of Pale Moon to keep users of
The otherwise currently unmaintained OS updated regarding known
Security vulnerabilities.
changes:. Code cleanup: Removed the majority of remaining telemetry.
Code (including the data reporting back-end and health report) to
Prevent a few with partially removed code in earlier versions.. a crash due to handling of bogus URIs passed to CSS style filters (e.g. whatsapp's web interface).. Permitted spec-breaking syntax in Regex character classes,
Allowing ranges that would be permitted per the grammar rules in the
Spec but not necessarily following the syntax rules. This impacts a
Good number of (also higher profile) sites that use invalid ranges in
Regular expressions (e.g. Cisco's networking academy site, Yahoo
Fantasy Football).. a crash due to the newly introduced WASAPI handling
of audio channel mapping that doesn't like actual surround hardware
Setups (e.g. playing a video with quadraphonic audio on a 4-speaker
Setup).. an where site-specific dictionary selections
Would be written to content preferences without the user's action,
Potentially overwriting or clearing a previously-chosen dictionary.. Added support for drag and drop of local files from sources which use text/uri-lists. (Some Linux flavors/file managers). Updated libnestegg to the most current version.. an where setting the location to an empty string could cause a reload loop.
Security :. Changed the jemalloc poison address to something that is not a NOP-slide. DiD. a memory safety hazard in ConvertDialogOptions (CVE-2015-4521). a buffer overflow/crash hazard in the VertexBufferInterface::reserveVertexSpace function in libGLES in.
ANGLE (CVE-2015-7179). an overflow/crash hazard in the XULContentSinkImpl::AddText function (CVE-2015-7175). a stack buffer overread hazard in the ICC v4 profile parser (CVE-2015-4504). an HTMLVideoElement Use-After-Free Remote
25.7.027 Aug 2015 08:25
minor feature:
This is a and maintenance release.
changes:. Code cleanup: Removed the (otherwise unused) visual event tracer code.. Code cleanup: Removed reflow performance tracing code (telemetry).. a key JavaScript where defining properties on an object would wipe the object.
This seems to be a common with "modern" libraries that use
define" instead of "change" and expecting the other properties on the.
Object to be retained, resulting in "x is undefined" errors all over
The place if the object is wiped.
This aligns the behavior with ES6's "Validate and apply property descriptor" pseudo-function.. Updated the SQLite library to 3.8.11.1.. Added support for the element.matches() Web API function.. Added support for BASE tag parsing in source view.
Previously, when viewing the source of a document, clickable links
Would be incorrect if a base path was specified in the document with
This tag.. an with running timers after the computer would have been put to sleep with the browser opened.
Security :. Added protection against potential where our SVG mPositions is out of sync with the characters in the DOM. DiD. use-after-free vulnerability in XMLHttpRequest::Open() (CVE-2015-4492). use-after-free vulnerability in the StyleAnimationValue class (CVE-2015-4488). crash or memory corruption in nsTArray (CVE-2015-4489). crash or memory corruption in nsTSubstring::ReplacePrep (CVE-2015-4487). potential escalation of privileges or crash (out-of-bounds write) via a crafted name in MARs (x64 only) (CVE-2015-4482). an that would allow man-in-the-middle attackers to.
Bypass a mixed-content protection mechanism via a feed: URL in a POST
Request.
CVE-2015-4483).
DiD This means that the is "Defense-in-Depth": It is a that does not.
Apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by
The same code when surrounding code changes, exposing the problem.
25.6.028 Jul 2015 03:15
minor feature:
This release addresses some security issues and a range of usability improvements to the browser.
Fixes/changes:. Canvas anti-fingerprinting option: Pale Moon now includes.
the option to make canvas fingerprinting much more difficult. By
setting the about:config preference canvas.poisondata
to true, any data read back from canvas surfaces will be "poisoned"
with humanly-imperceptible data changes. By default this is off,
because it has a large performance impact on the routines reading this
data.. Added a feature to allow icon fonts to be used even when
users disallow the use of document-specified fonts. This should retain
full navigation for icon-font heavy websites (no more dreaded "boxes"
with hex codes) when custom text fonts are disabled.
Added a feature to prevent screen savers from kicking in.
when playing full-screen HTML5 video. This is currently not yet
operational on Linux because of stability issues we've run into on that
OS, but Windows should properly benefit from this change.. The "autocomplete=off" parameter for signon forms is now
completely ignored by default, to keep the user in control of their
browser's behavior and allowing credentials to be saved if wished. If
you prefer the previous behavior, allowing a website to determine
whether autocomplete should be allowed or not, then change the
about:config preference signon.ignoreAutocomplete to false.. Reinstated the packaging of pre-compiled scripts in the
browser. Hopefully this will fix the reports by some users who found
that initial start-up after installation/upgrade of the browser was
unacceptably slow. Unfortunately this means a slightly larger
download/install size as a trade-off.. Added the option to use Chrome://../skin/ overrides, in
effect allowing the use of "Icon themes"; toolbar icon replacements to
customize your browser icons without the need for any CSS or full-blown
theming.
Added a count for the number of matches in the find bar. it.
will now list the total number of matches fou
25.5.011 Jun 2015 08:25
minor bugfix:
Logjam fix: Refuse DHE keys with less than 1024 key bits.
Search plugin updates to re-enable Google suggestions and reduce tracking.
Allow plugin-specific (.dll based) OOPP overrides also for npswf. This will
not be used for the "master switch" for OOPP and Flash will still be in the
plugin container, unless a specific dom.ipc.plugins.enabled.npswf*.dll
boolean is set to override.
Fixed a crash during WebGL Conformance Tests for undefined indices.
HSTS preload list updates.
Status bar locale addition: cs.
Implemented a fix for the toolkit update service so that the same version
as the current application will not be offered as a valid update (Tobin).
Reorganized the AppMenu (give equal ease for windowed and tabbed browsing,
deprioritize Sync).
Disabled the Sync promo box in doorhangers.
Updated libpng to version 1.5.22 .
Fixed support for builds using newer freetype on Linux. (Axiomatic).
Fixed --with-system-pixman builds. (Isaac Dunham).
Updated SQLite to version 3.8.10.1.
Changed the after-upgrade page loaded to the release notes instead of the
home page.
(and hoping people actually do take a moment to read them, preventing
unnecessary support requests).
Fixed navigator.geolocation - should never be null, to properly adhere to
the specification (Travis).
Moved paintlock event delay to greprefs, and adjusted it for 2015's
heavier sites.
Fixed the about dialog scripting for pre-release builds (includes build
date now as-intended and no longer errors the script).
Reorganized how pushed floats are handled in layout flow.
Implemented a change to run the updater from the install directory instead
of copying it.
Fixed transparency of the Pale Moon document icon for 256x256.
Updated padlock code:
- Added mixed-mode shading, and reorganized shading pref values more
logically.
Updated NSPR to 4.10.8.
Updated the NSS security lib to 3.19-RTM + re-worked Pale Moon
changes.
Bumped the built-in site-specific UA compat mode overrides to v38.
Fixed a compressed-cache crash due to
Homepage
Download