AfterDawn: Software downloads

Versie historie van Pale Moon (64-bit portable)

<<Terug naar software beschrijving

Veranderingen voor v27.2.1 - v27.3.0

  • A major development update. Many things have changed in the media back-end, but please understand that some things are still a work in progress, and you may still encounter some html5 video playback issues with MSE.
  • Changes/fixes:
  • Fixed up, checked and enabled vertical text writing modes!
  • Pale Moon will now be able to display vertical, right-to-left script.
  • Added the option to reset non-default profiles.
  • Fixed various issues in the WebP image decoder.
  • Added internally-supported document types to allowed types.
  • Fixed locale selection in ICU after update to ICU58.
  • (Note: Pale Moon uses the system locale for date formatting, not the browser locale)
  • Re-implemented the previous spellchecker dictionary logic (allow user override of document/element language, improve logic and make it unambiguous).
  • Ongoing fixes for the MP4 parser and MSE.
  • Made HTML Media Elements' preload attribute MSE-spec compliant.
  • The preload attribute on HTML media elements is now ignored in the case of an MSE source. This prevents an issue with sourceopen not firing when preload="none".
  • Fixed some issues with Windows WMF media playback.
  • Fixed an issue with Synced preferences sometimes overwriting stored individual preferences.
  • Fixed display of RSS folder icons.
  • Fixed issues with custom context menus.
  • Fixed an issue importing bookmarks with separators losing their extra data.
  • Changed the way numeric addresses are handled in the address bar so it doesn't perform a search when it shouldn't.
  • Added an option (browser.sessionstore.cache_behavior) to control from which source restored tabs pull their page content:
  • 0 = load restored tab data from cache (current behavior, default)
  • 1 = refresh restored tab data from the network
  • 2 = refresh stored tab data from the network and bypass any cached data.
  • Improved upon a v27 performance regression with SVG scaling.
  • Improved performance by being more selective which CSS animations to process.
  • As a side-effect, elements changing their display from "none" to something visible now also animate.
  • Increased memory allocation for the use of very large PAC files.
  • Added menu entries for the permissions manager and improvements to its function and display.
  • Added preferences to control "highlight all" behavior of the find bar:
  • accessibility.typeaheadfind.highlightallbydefault = true/false highlight all found words by default.
  • accessibility.typeaheadfind.highlightallremember = true/false remember the last-used state of Highlight All.
  • Added devtools command-line options.
  • Added remote IP and protocol to Devtools->Network entry details.
  • Added support for
    and HTML tags.
  • Fixed a regression in the MSIE profile migrator.
  • Removed migration of browser-specific settings when migrating data from IE/Safari.
  • Implemented optional parameters for permessage-deflate in preparation for RFC7692 errata making acceptance of them mandatory (and to prevent web compat issues due to the current conflicting text of it).
  • Made the image document favicon skinnable.
  • Aligned DOM selection addRange with the spec.
  • Exposed mozAnon constructor js binding to system scopes for XHR.
  • Enhanced form data handling from JavaScript.
  • Security/privacy changes:
  • Updated NSS to 3.28.4-RTM to address a number of issues.
  • Added support for RSA-AES(-GCM)-SHA256/384 suites to broaden compatibility.
  • Reconfigured networking security: disabled static DHE suites by default, enabled all RSA-AES(-GCM)-SHA256/384 suites in their stead.
  • Fixed referrer policy keyword to align with the current spec ("cross-origin" vs "crossorigin").
  • Added an option to display punycode domain for IDN websites to combat phishing.
  • This is enabled by default for domain-validated https sites.
  • Preference: browser.identity.display_punycode
  • 0 = Display IDN name in identity panel (previous behavior)
  • 1 = Display punycode name for DV SSL domains (default)
  • 2 = Also display punycode for HTTP sites if IDN name used
  • Fixed an issue to prevent contacting remote servers when a connection might get blocked.
  • Fixed 3 public security flaws in libevent, which may affect Mozilla-based products. DiD
  • Fixed several memory- and thread-safety hazards.
  • Fixed an address bar spoofing issue. (CVE-2017-5451)
  • Fixed a potentially exploitable crash with HTTP/2. (CVE-2017-5446)
  • Fixed several security hazards in XSLT processing. (CVE-2017-5438) (CVE-2017-5439) (CVE-2017-5440)
  • Fixed several security hazards in old protocols. (CVE-2017-5444) (CVE-2017-5445)
  • Fixed out-of-bounds access in text formatting. (CVE-2017-5447)
  • Fixed a potentially exploitable issue with innerText. (CVE-2017-5442)
  • Fixed a potentially exploitable issue in graphite font shaping.
  • Fixed a potentially exploitable crash with credential-authentication.
  • Fixed out-of-bounds access with text selection in rare cases.
  • Fixed a security hazard in the ANGLE library.



Veranderingen voor v27.2.0 - v27.2.1

  • Fixed an issue with planar alpha handling (transparency) when drawing JXR images.
  • Fixed a crash related to a change JavaScript array handling introduced in 27.2.0.
  • This became apparent with the pentadactyl extension, but could happen in other situations as well.
  • Fixed a crash when opening ridiculously large images with HQ scaling enabled (default).
  • Pale Moon will now only apply HQ scaling for images within reasonable limits (64 Mpix or smaller). Images larger than that may not display properly when zooming in, or may not display at all, even scaled down (e.g. >256 Mpix large) and show a "broken image" placeholder instead; please use dedicated image viewer applications for those kinds of images; it is outside the scope of a web browser to handle such large images.
  • Changed the way URL hashes are handled, and will no longer %-decode anchor hash identifiers by default.
  • Note that this is against RFC 3986, which states that any part of the URL scheme that isn't data should be decoded.
  • This is required for web compatibility because several sites use hash links to pass actual data to web applications (Please don't do this! Hashes ar part of the URL address, should only consist of "safe" characters, and aren't suited to pass arbitrary data) and the most common browsers no longer follow the RFC in that respect.
  • If you want RFC compliance, switch dom.url.getters_decode_hash to true
  • Restored 2 RSA Camellia cipher suites that were missing: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA and TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
  • Fixed an issue with custom toolbars getting deleted during upgrade from 27.0/27.1 to 27.2



Veranderingen voor v27.1.2 - v27.2.0

  • Changes/Fixes:
  • Updated the ICU lib to 58.2 to fix a number of issues.
  • Added proper control for the user for offline storage for web applications.
  • Added a check to prevent auto-filled URLs from copying the auto-filled selection to clipboard/primary.
  • Added the feature to pass a URL to open in a private window from the command-line.
  • Improved the display of the downloads indicator on the button in bright-text situations.
  • DOM storage now honors the "3rd party cookie" setting in that it will not allow 3rd party data to be stored if 3rd party cookies are disallowed.
  • Allowed toolbar button badges to be properly styled.
  • Updated the hunspell spellchecking library to 1.6.0 to fix a number of issues.
  • Fixed desktop notifications being off-screen if fired in rapid succession.
  • Added Element.insertAdjacentElement and Element.insertAdjacentText DOM functions.
  • Added support for JPEG-XR images.
  • This makes Pale Moon have the broadest support for image formats of all web browsers.
  • (enabled by default; you can disable this with media.jxr.enabled).
  • Completely removed the use of GStreamer on Linux.
  • Added support for element.innerText.
  • Custom toolbars should now properly remember their state.
  • Fixed some more playback issues with MP4/MSE videos.
  • Please be aware that we are still working on further improving MSE video handling.
  • Changed media processing to reduce dangerous processing asynchronicity.
  • This should also make media elements and playback more responsive.
  • Fixed a useragent string regression always displaying the minor Goanna version as .0
  • Updated NSPR to 4.13.1.
  • Updated NSS to 3.28.3-RTM.
  • Fixed unrestricted icon sizes in PMkit buttons.
  • Fixed unresponsive buttons on support page when not building the updater.
  • Fixed the use of "View image" and "Save image as" on extremely large images.
  • Changed the way "View Image" and "Save image as" work on canvas elements.
  • Made checking for dangerously large resolution PNG images smarter.
  • It will now accept larger "strip"-aspect ratio images while reducing unsupported large image resolutions.
  • This will e.g. fix Gmail's "emoji" window that uses a ridiculously long but very narrow single image to store all the emoticon pictures.
  • Converted several hard-coded URLs to preferences.
  • Updated the google.com override so it would not cripple services based on UA sniffing.
  • Added Inner and Outer Window ID administration.
  • Fixed the add-on discovery pane detection.
  • Added support for canvas ellipse.
  • Improved drawing of certain MathML elements at problematic zoom levels.
  • No longer building gamepad support.
  • Updated Harfbuzz font shaper to 1.4.3 to fix a number of issues.
  • Fixed a number of crashes (layout, plugins, uncommon navigation, bad URLs).
  • Aligned SVG specular filters with the spec.
  • Security/privacy changes:
  • Added support for 256-bit AES-GCM encryption.
  • Added support for ChaCha20-Poly1305 encryption.
  • Removed support for Camellia-GCM since nobody seems interested in it.
  • (Camellia in 128/256-bit CBC block mode is still fully supported).
  • Added support for SHA-224, SHA-256, SHA-384 and SHA-512 to Crypto utils.
  • Improved status handling of secure sites to be less sensitive to "insecure" items that are local.
  • Fixed print preview hijacking. (CVE-2017-5421)
  • Fixed a potentially exploitable crash in OnStartRequest. (CVE-2017-5416)
  • Fixed potential cross-origin content-stealing through a timing attack. (CVE-2017-5407) DiD
  • Fixed a denial-of-service problem with view-source. (CVE-2017-5422)
  • Fixed crash in directional controls. (CVE-2017-5413)
  • Fixed a perceived problem with chrome manifests. (CVE-2017-5427)
  • Fixed the use of an uninitialized value. (CVE-2017-5405)
  • Fixed a buffer overflow. (CVE-2017-5412)
  • Fixed a UAF situation. (CVE-2017-5403)
  • Fixed a potential spoofing issue with the address bar. (CVE-2017-5417)
  • Fixed a potential issue in libvpx. (CVE-2017-5402) DiD
  • Fixed a potential issue with HTTP auth. (CVE-2017-5418)
  • Fixed several memory safety hazards and potentially exploitable crashes



Veranderingen voor v27.1.1 - v27.1.2

  • This is a small update adding a workaround for potential deadlocks happening in media elements.



Veranderingen voor v27.0.3 - v27.1.0

  • Changes/Fixes:
  • Reworked the media back-end completely (thanks Travis!) to use FFmpeg (including support for FFmpeg v3 and MP3 playback) and our own MP4 parser, and no longer relying on gstreamer on Linux, as well as adding some improvements on Windows for media parsing and playing.
  • On Linux, Apple .mov files of the correct type will also be played through FFmpeg now, for those rare occasions where they are still in use, considering there is no Quicktime plug-in available on that operating system.
  • Restored the classic about:config styling.
  • Added a fallback to US-ASCII if the autoconfig UTF-8 conversion fails.
  • Improved cross-compartment wrapper handling when managing a large number of tabs (fixes a performance regression with v27).
  • Changed the way audio and video synchronization is calculated to account for (slow) device latency, preventing things from getting out of sync on e.g. BlueTooth-connected speakers.
  • Changed the way scripts are handled when they are stopped from the "unresponsive script" dialog, to prevent browser lockup. We will now stop all scripts in the affected compartment in one go.
  • Fixed several errors in the devtools.
  • Fixed a nasty crash caused by cross-origin referrers.
  • Fixed the installer to allow 64-bit versions of the browser to be installed on Vista again.
  • Added HTML5-spec clipboard handling for content (cut© only -- paste is not allowed for security reasons).
  • Made multiple changes to the toolkit jetpack modules to cater to PMkit extensions.
  • This should make running SDK-based modules as PMkit extensions fairly simple for extension developers. See the introductory text to these release notes.
  • Fixed a css layout issue: make max-width affect contributions to intrinsic min-width.
  • Implemented several updates to the permissions manager. Among others, Improved the permissions manager (about:permissions) with a more complete set of permissions for pages.
  • Removed otherwise unused Metro browser platform/widget code.
  • Removed support for non-standard/deprecated let blocks and expressions.
  • Made the use of let as a keyword versionless and ES6 compliant.
  • Made the privacy category in preferences a tabbed setup to better fit the current options.
  • Fixed a regression preventing certain MP4 video files from playing.
  • Fixed a regression where seeking in media files would halt playback/jump to the end of the stream.
  • Fixed a crash caused by certain downloadable fonts with DirectWrite in use.
  • Improved downloads-button indicator legibility on some combinations of Windows versions and system theme colors.
  • Changed the Facebook user-agent override to be our native one, based on reports from users that it is (finally) working acceptably.
  • Fixed site-specific useragents being ignored if a global override is defined.
  • Security/privacy changes:
  • Changed CORS handling to allow data: sources, assuming they are same-origin. This should fix the infamous "Facebook endless reload" issue and may make some other sites that assume this particular (unspecified) CORS behavior happy with Pale Moon.
  • Reinstated the network.stricttransportsecurity.enabled preference so people who choose privacy over HSTS can do so again.
  • Added, In HSTS "off" state, prevention of HSTS site status from being written to disk.
  • Updated the IDN blacklist with more extended unicode characters that "look very similar to" normal ASCII characters, to prevent spoofing of well-known domains. If blacklisted characters are found, the IDN domain name will be displayed in its punycode form. (CVE-2017-5383 and similar)
  • Fixed an exploitable crash when using MP4 video. (CVE-2017-5396)
  • Fixed an exploitable crash in XSL parsing. (CVE-2017-5376)
  • Fixed a potential security issue when exporting certificates with specially-crafted credentials. (CVE-2017-5381)
  • Fixed a potential use-after-free situation in frame selection. (CVE-2017-5380) DiD
  • Fixed a leak of window details through the Ion compiler in certain situations.
  • Fixed the potential for an exploitable crash involving Javascript GC. DiD
  • Fixed a potential overflow situation in (non-released) WebRTC code. DiD
  • Fixed a potentially unsafe situation in websockets. DiD
  • Fixed several memory and other safety hazards (BMO bugs 1318766, 1325877, 1328834 DiD, 1288561 DiD, 1322420 DiD, 1293327 DiD, 1322315, 1325344, 1285960).
  • DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.



Veranderingen voor v27.0.2 - v27.0.3

  • This is a bugfix and security update.
  • Changes/fixes:
  • Fixed certain network errors not displaying.
  • Fixed network error page styling.
  • Fixed the writing of DOM storage data to tabs (should solve the "tabs not loading their contents" issue when migrating a profile and some other situations).
  • Disabled downloadable font unicode-ranges on non-Windows platforms.
  • Added a Google Fonts user-agent override for non-Windows platforms so they don't send unicode-ranged composite fonts (Feature detection? Google apparently still doesn't know what that is).
  • Re-enabled the reporting of CSS errors to the console by default to prevent issues with some extensions who rely on this (e.g. Stylish).
  • Fixed and updated preferences for location bar suggestions.
  • Fixed several x64-specific issues in memory allocation code (regression fix).
  • Fixed timer issues when resuming a computer from stand-by (regression fix).
  • Fixed a number of branding and textual issues in the browser.
  • Fixed prompting for the saving of off-line data (previously always allowed without prompting).
  • Fixed a layout regression that would cause block elements following left floats to not wrap to the next line if there wasn't enough clearance.
  • Fixed a mismatch in Firefox extension compatibility-mode installation where Firefox extensions served by addons.mozilla.org would be marked incompatible when trying to install.
  • Security-related and crash fixes:
  • Fixed use-after-free while manipulating DOM events and removing audio elements (CVE-2016-9899).
  • Fixed CSP bypass using the marquee tag (CVE-2016-9895).
  • Fixed a vulnerability in the internal Jetpack modules (CVE-2016-9903). DiD
  • Fixed use-after-free in Editor while manipulating DOM subtrees (CVE-2016-9898).
  • Fixed an error in the buffer logic in http-chunked decoder.
  • Fixed a crash in generational GC code (not in use by default) DiD
  • Fixed a compartment mismatch bug in plug-in code
  • Fixed a crash trying to get a nonexistent property.
  • Improved MediaRecorder's observer safety.
  • Fixed a crash related to document history.
  • DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.



Veranderingen voor v27.0.1 - v27.0.2

  • This is a minor update to address usability and security issues:
  • Enabled Firefox Compatibility mode by default for the useragent string.
  • Unfortunately too many websites (and especially the big players who should know better like Google, Apple and Microsoft) still require the "we must pretend to be Firefox if we want this site to work" status quo to be maintained, because people still insist on using useragent sniffing to determine "browser features", or even worse, discriminate against free choice of browser by flat-out refusing service (I'm looking at you, banking industry and cloud services!) when visiting websites just because companies don't want to provide assistance to any but users on the main 3.
  • HTML offers plenty of ways to do proper feature detection; site owners should use them.
  • Seriously people, it was a bad idea 20 years ago, and it's a worse idea in 2016.
  • The built-in devtools are back, and with a facelift!
  • Thanks to some consistent community help, the built-in devtools, sorely missed by a number of our users, are back. They've received a code and style update and should be fully functional on the new platform. This was originally planned for 27.1, but it was decided to include this as soon as possible, not in the least to assist extension developers in their efforts to adapt to Pale Moon 27.
  • Security fix:
  • Fixed a crash in SVG, related to CVE-2016-9079, as a defense-in-depth measure.



Veranderingen voor v27.0.0 - v27.0.1

  • This is a bugfix release for some of the issues that popped up with the new milestone.
  • Changes/fixes:
  • Fixed removal of distribution/bundles/ copies of status bar code and ruby annotations code.
  • This should clean up everything on install/upgrade that currently causes double code to create intermittent/odd behavior.
  • Backed out some media back-end changes to fix MSE playback on Twitch.tv and other similar sites.
  • Disabled pop-up network status in full screen by default (since video detection is rather iffy at the moment).
  • Fixed a regression causing the "reset profile" button to not appear in about:support on the default profile.
  • Worked around bad Netflix interface changes - it will now use a more compatible web UI.
  • Please note that these Netflix changes were unrelated to the actual release of Pale Moon (26.5 is also affected).
  • Aligned base status bar colors with default prefs.
  • Fixed status bar options not being remembered.
  • Added an override for Amazon Prime videos so they won't stop us at the front door any longer when not using the Firefox Compatibility user agent mode.
  • Re-applied proper branding text to in-app licensing.



Veranderingen voor v26.5.0 - v27.0.0

  • After about 8 months of development, we now have a new milestone release with literally too many changes to list even concisely. These release notes will therefore only highlight the most important parts of this release.
  • In this release we've done a full upgrade of our back-end platform, meaning many things work different "under the hood" and you may run into a number of extension compatibility issues as a result.
  • New and updated features:
  • Support for DirectX 11 and Direct2d 1.1 on Windows. This will bring Pale Moon more in line with the capabilities for current-day operating systems and graphics hardware.
  • Update of the Goanna engine to 3.0 - with many changes to layout and rendering for the modern web.
  • Pale Moon now fully supports HTTP/2.
  • Ruby Annotations are now an integral part of the HTML parser, controllable with CSS.
  • Media Source Extensions have been implemented to solve many video playback issues.
  • This can be enabled/disabled and configured in Options. It's recommended at this time to not enable MSE for WebM since there are a few issues with it on services like YouTube (e.g. losing audio when looping/skipping).
  • Support for reading and playing so-called "fragmented" MP4 files has been added, further solving media playback issues.
  • Support for SSL/TLS connections to proxy servers.
  • Support for the WOFF2 font format for downloadable fonts.
  • The JavaScript engine has been updated with support for many landmark ECMAScript6 features (chief among them promises and generators). This will solve many of the web compatibility issues that people have started to run into in the past few months (e.g. webmail interfaces, some sites coming up blank because they are script-generated).
  • The way web content is cached has been changed to be more efficient. If you want to immediately take advantage of this, clear your cache.
  • Removed support/features:
  • Removed support for Windows XP. If you are still running Windows XP, then your only option is to continue using Pale Moon 26.
  • Removed the internal PDF (pre)viewer. This module was not maintained, was unable to display even half of the PDF documents correctly, and could not reasonably remain included in the browser. Please use a separate reader and/or install a PDF reader plugin.
  • Disabled building of the devtools. They will not be included in release versions of Pale Moon from this point forward. If you are a web developer or otherwise need those tools, fear not! They are available as a browser extension.
  • Removed the active XSS filter. This feature, although effective, was prone to some instability and needs to be rewritten for the update of our platform. It may or may not return in the future, depending on whether the original author has time to rewrite parts of this filter implementation.
  • Removed support for Add-on SDK extensions (JetPack extensions), considering the Mozilla/Gecko SDK is no longer compatible with our combination of application and platform code.
  • Security highlights:
  • All relevant security fixes up to and including Firefox 50 have been ported across from Mozilla to continue to provide an as secure as possible browser.
  • Several libraries have been updated to their latest versions to pick up any important vulnerability fixes.
  • There's a new option and control to determine whether to save zone information (marking files as "downloaded from the Internet") on downloaded files (Windows+NTFS). You can find this in Options.
  • Other important notes:
  • Pale Moon 27 will initially only be available in English. We are working on getting localization done to have language packs available over time.
  • Important: You can not use the previous language packs since many strings have changed. Trying to do so will likely prevent the browser from starting or functioning. Pale Moon will automatically disable language packs for the previous version, but if you have explicitly disabled add-on compatibility checking you may run into trouble.
  • We will continue to fully support the following:
  • NPAPI plugins
  • Extensions with binary/XPCOM components
  • XUL/Overlay and bootstrapped extensions
  • Complete themes
  • Unsigned and author-signed extensions
  • The Camellia encryption cipher (also in GCM mode)
  • Graphite font shaping
  • Sync 1.1 (albeit without support for syncing add-ons)
  • Full customization of the UI as before



Veranderingen voor v26.4.0 - v26.5.0

  • Fixes/Changes:
  • Implemented a breaking CSP (content security policy) spec change; when a page with CSP is loaded over http, Pale Moon now interprets CSP directives to also include https versions of the hosts listed in CSP if a scheme (http/https) isn't explicitly listed. This breaks with CSP 1.0 which is more restrictive and doesn't allow this cross-protocol access, but is in line with CSP 2 where this is allowed.
  • Fixed an issue with the XML parser where it would sometimes end up in an unknown state and throw an error (e.g. when specific networking errors would occur).
  • Improved the performance of canvas poisoning by explicitly parallelizing it.
  • Security fixes:
  • Fixed a potentially exploitable crash related to text writing direction. (CVE-2016-5280)
  • Made checking for invalid PNG files more strict. Pale Moon will now reject more PNG files that have corrupted/invalid data that could otherwise lead to potential security issues.
  • Changed the way paletted image frames are allocated so the space is cleared before it's used. DiD
  • Fixed a crash in nsNodeUtils::CloneAndAdopt() due to a typo. DiD
  • Fixed several memory safety issues and crashes.
  • DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.



Veranderingen voor v26.3.3 - v26.4.0

  • Removed Google Search as a bundled search provider. If desired, you can manually install it (or other search engines) after the update by following the steps in the Manage Search Engines topic.
  • Fixed the URL API to allow "stringification" of the object per specification. This should make a number of websites happy.
  • Added the ES6 string .includes() function in addition to the pre-existing .contains() function for checking if a string contains another string. The .contains() function is retained for compatibility with web and extension scripts that adhere to the ES6 pre-release specification up to and including RC3.
  • Fixed the calculation of standalone SVG embeds width and height, which should solve some reported issues with html5 graphs being displayed incorrectly.
  • Linux: improved memory allocation.
  • Updated the graphite font library to 1.3.9.
  • Added a blocking rule for F-Secure's 64-bit deepguard library to prevent crashes.
  • Updated the SQLite library to 3.13.0.
  • Download= properties of links are now honored from the context menu "Save" option.
  • Fixed a crash in the XSS filter.
  • Fixed a crash in the DOM error module.
  • Worked around a crash on Linux
  • Linux: Improved optimization and GCC6 compatibility (Note: compiling with GCC 6 is still not recommended and it may or may not work, depending on your environment)
  • Security fixes:
  • (CVE-2016-5251)Potential URL spoofing in the address bar.
  • (CVE-2016-0718) Context-dependent crash in expat 2.1.0.
  • (CVE-2016-5266) Outgoing dataTransfer items are not properly filtered.
  • Fixed potentially exploitable crash in the array splice implementation.
  • Fixed potentially exploitable crash caused by badly formatted ICO files.
  • (CVE-2016-5254) Heap-use-after-free in nsXULPopupManager::KeyDown



Veranderingen voor v26.3.2 - v26.3.3

  • Fixed an additional issue found that could cause menu text on Windows 10 to be white-on-white (and therefore unreadable).
  • Fixed an issue with news feeds not showing up when embedded in web pages.
  • Removed recently-added parsing of the child-src content security policy directive, after some web compatibility issues with it came to light, as well as it becoming clear that the CSP spec will see it removed in favor of the previous directive for embedded content. This should fix some intermittent issues people have reported on e.g. the main google.com page and phpMyAdmin installations.



Veranderingen voor v26.3.0 - v26.3.1

  • Fixed an issue with new tab button theming on dark toolbars.
  • Reverted the useragent identification of Firefox compatibility mode to 38.9 to avoid WOFF2 font issues for sites that don't use proper font deployment as recommended by the W3C.
  • Added a site-specific override for Google fonts to make sure it always works even if not using Firefox compatibility mode.
  • (workaround pending for a proper solution on Google's side)
  • Adjusted the "dark color" detection routine to switch text to white at higher relative contrast levels.
  • This will more closely match Windows 10's "flip point" for different accent colors and is within the recommended range determined by the WCAG



Veranderingen voor v26.2.2 - v26.3.0

  • Changes/fixes:
  • Added detection for dark system themes on Windows 10 and re-worked Windows 10 specific theming to better integrate into the OS and provide more clarity.
  • HTML5 media controls have been reworked to a horizontal volume control on all media, including HTML5 audio that was previously without an element-control for volume.
  • Default HTML5 media volume preference added as media.default_volume -- fractional, default 1.0 (=100%).
  • String.prototype.match() and .replace() are now fully spec compliant.
  • NSPR and NSS now correctly no longer enforce IA32 architecture compatibility, getting the advantage of SSE2 like the rest of the code.
  • Worked around crashes in the XSS filter when navigating back in history due to document fragments.
  • Instated a hard minimum of 10,000 places entries regardless of free disk space and total memory to prevent undesired expiration of history. That is around 16MB for an average entry size, which should be sane enough even on low-memory machines.
  • Fixed a typo in networking code introduced in 26.2.2 that would cause issues on some sites due to adding extra forward slashes to the URL.
  • Security fixes:
  • Fixed a number of memory safety hazards and potentially exploitable crashes.
  • Fixed CVE-2016-2821 Use-after-free in the mozilla::dom::Element class
  • Fixed netaddr deserialization for AF_UNSPEC and AF_LOCAL.
  • Fixed a memory overrun error in the VP8 encoder. DiD
  • Fixed non-threadsafe re-use of pixman images to prevent potential race conditions. DiD
  • Fixed CVE-2016-2825 Partial Same Origin Policy violation
  • DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.



Veranderingen voor v26.2.1 - v26.2.2

  • Changes/fixes:
  • Added a detection routine for dark window colors on Windows 8 and later (system themes using dark window frames) to better adapt to dark system colors. Theme developers can take advantage of this by checking for darkwindowframe="true" on #main-window in CSS selectors.
  • CSS classes prefixed with "--" no longer stop parsing of the selectors.
  • Several crash fixes.
  • Security fixes:
  • Made GC suppression more aggressive to prevent issues when actually out of memory.
  • Fixed a memory safety hazard in jpeg decoding.
  • Fixed a potentially exploitable crash when using bi-directional text.
  • Updated NSS to 3.19.4.2-PM, fixing CVE-2016-1938 among other things.



Veranderingen voor v26.1.1 - v26.2.1

  • This is a small update to fix a problem with keyboard navigation of the user interface.
  • 26.2.0 (2016-04-05)
  • This is a major update and bugfix release.
  • Changes:
  • Implemented the URL API that's needed for a number of websites.
  • Changed internal keystroke handling within the spec to better align with generally expected behavior.
  • This should fix the infamous "backspace" issue on Facebook.
  • Web developers please note: calling preventDefault() in a "keydown" event handler will now prevent most keypress events from firing.
  • Linux: gstreamer 1.0 support has been implemented and enabled by default (hats off to Travis!)
  • From this version forward you will need to have gstreamer 1.0 libraries for video playback (0.10 is no longer supported).
  • Re-styled about:sessionrestore to use more available screen real estate for tab info.
  • Added an option to use the mousewheel for horizontal scrolling (mouse action value 4).
  • (e.g. setting mousewheel.with_shift.action to 4 makes Shift+wheel scroll horizontally)
  • Bumped max icon size for search engine icons to 32 KB to cater to more common use of HiDPI icons.
  • Fixed some hard-coded branding strings in Sync still reading "Firefox", and similarly changed sync information URLs to point to our relevant pages.
  • Removed default profile bookmarks pointing to Firefox/Mozilla since the information there no longer applies to us.
  • Updated UA overrides and XSS configuration to deal with some problematic sites (e.g.: Google, Embedly)
  • Fixed several issues with the default theme causing problems with behavior due to styling (thanks, Antonius32) (Issue #384 and friends)
  • Fixed some miscellaneous issues in the internal jemalloc implementation.
  • Added a configure option to use the full jemalloc lib (jemalloc v3) if the builder so wishes (used for Linux, sys mallocs are not happy there either, so for our generic binaries we switched to this lib now)
  • Worked around a crash caused by the XSS filter on some fora by bailing on too short and empty strings.
  • Fixed layout of reflowed comboboxes without enough space.
  • Fixed a crash related to flexboxes overflowing themselves. (Issue #396)
  • Added a simple implementation for Weak Messagelisteners. (Issue #399)
  • Fixed a crash for losing our cache entry while finishing up compression.
  • (re-apply after unintentional back-out switching to Goanna)
  • Linux: Worked around driver bugs with Intel drivers that falsely report what they can support in max texture size.
  • Portable only: Removed compression of the browser components library after some reports that in certain configurations and environments it was causing issues with the browser.
  • Security fixes:
  • Updated the graphite font library to 1.3.7+ to solve CVE-2016-2796 and no less than 14 of its friends.
  • Updated NSS to 3.19.4.2-PM to address several vulnerabilities (UAF, heap overflow).
  • Updated libvorbis to a much more recent version to fix multiple issues.
  • Crash fix and DiD fixes by holding strong references to objects in suspect places in the HTML parser. (CVE-2016-1961) (ZDI-CAN-3574)
  • Fixed several out-of-bounds issues in the VP8 decoder.
  • Fixed a potentially exploitable crash in XML/XSLT handling.
  • Applied some Kung Fu to HTML animations and transitions to prevent memory hazards.
  • Fixed applicable Mozilla code vulnerabilities CVE-2016-1965, CVE-2016-1960 (ZDI-CAN-3545), CVE-2016-1966, and CVE-2016-1963.



Veranderingen voor v26.1.0 - v26.1.1

  • This is a bugfix release to improve stability and extension compatibility.
  • Changes/fixes:
  • Fixed a few oversights in the Firefox extension compatibility changes in 26.1.0 that should improve compatibility with a number of Firefox extensions.
  • Changed memory handling to (hopefully) address the memory inflation issues some people have experienced with 26.1.0.
  • Updated YouTube compatibility, which should once again allow users to choose between Flash and HTML5 players on YouTube.



Veranderingen voor v26.0.3 - v26.1.0

  • Changes/fixes:
  • Disabled our ES6 Promise implementation introduced in 26.0 since there were some severe issues with its implementation that caused a lot of inexplicable failures on websites. This means that some sites that insist on using Promises without checking availability and that do not provide sufficient web client compatibility by way of server-side libraries or polyfills will currently not work as-intended. Apologies for any inconvenience this may cause; providing a perfectly-working implementation will be our top priority going forward.
  • Improved website compatibility with many sites and web applications by making our cookie gate less strict.
  • Fixed web compatibility with Google Hangouts and Yahoo Calendar.
  • Changed the memory allocator on Windows platforms to a much more modern full-library implementation of jemalloc, with miscellaneous additional fixes. This should give comparable speed to the system one and will allocate free memory more dynamically. This should fix issues like "huge animated gif choking" and inexplicable pauses when using many tabs, scrolling (extremely) long pages, or viewing media.
  • Fixed a few rare crashing issues on Windows due to the build process.
  • Reduced so-called "jank" on inner frame scrolling reflows.
  • Extension compatibility: partial implementation of Firefox 26 download js modules as shims; this should make more Firefox extensions compatible with us out-of-the-box. (Thanks, Chaoskagami!)
  • Added a "superstop" key combination (Shift+Esc) that will stop all (foreground and background) network activity, stop animated gifs, etc. even after the page itself has fully loaded (and the stop button not being available) - some web applications may not like this if you use it since it will also cancel XHR requests, etc.
  • Updated NTLM authentication, deprecating v1 and adding a proper v2 implementation (Thanks, Trava90!)
  • Updated the default theme to tweak/improve it some more (Thanks, Antonius32!)
  • Security fixes:
  • Updated the Graphite2 font library to 1.3.5+ to fix a number of vulnerabilities (and some font bugs).



Veranderingen voor v26.0.2 - v26.0.3

  • Changed our cookie gate to allow cookie names with spaces in them, to improve web compatibility.
  • Critical note: if your site uses cookie names with spaces in them, please consider moving away from doing that so you are no longer in the "grey" area of cookie behavior.
  • Changed the configuration of our XSS filter to address some known, harmless filter hits that have been reported.



Veranderingen voor v26.0.0 - v26.0.2

  • This is a bugfix, security and web compatibility release.
  • Changes/fixes:
  • Removed the sanity check for unsupported point-of-sale XP-based operating systems by user request.
  • Please see the forum for information on which operating systems we can reasonably support.
  • Changed the way "transparent" is handled in Goanna to improve transparent gradients using this keyword.
  • Made sure that dom.disable_beforeunload is predefined in about:config.
  • Fixed web compatibility issues with Youtube, Youtube Gaming, Yuku fora and Netflix.
  • Fixed web compatibility with Comcast/XFinity webmail and other sites or web applications that expect older JavaScript versions as default.
  • Reinstated the about:config warning by default.
  • Fixed 2 potential browser crashes.
  • Security fixes:
  • Updated NSS to 3.19.4.1-PM to fix a potential UAF and CVE-2015-7575.
  • Crash fix: Prevented queueing multiple media sources that could lead to unsafe memory access.
  • Prevented unsafe memory manipulations in zip archives. (CVE-2016-1945) DiD
  • Prevented a potential buffer overflow in WebGL. (x64 only) (CVE-2016-1935) DiD
  • Updated the way binaries are code-signed. Not only does v26.0 use a new SHA256-signed digital certificate, but starting this version will also be signed with both SHA1 and SHA256 digest algorithms to satisfy later Windows' code-signing requirements.
  • DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.



Veranderingen voor v25.8.1 - v26.0.0

  • Pale Moon is now building on the new Goanna engine instead of Gecko. Although close relatives in terms of web technology, they are not the same under the hood and any reports of bugs with the layout/rendering engine should be as detailed as possible to allow us to pinpoint the cause of the bugs and fix them (just stating "it works in Firefox" really doesn't help us!). If you wish to report issues, please either use the issue tracker on GitHub or report a detailed description and steps to reproduce on the forum.
  • We've had to reduce the number of supported languages for our language packs. With the need to move to our own full localization and lacking translators to support and maintain less common languages in use around the world, we've reduced our number of offered languages to a little over 30. The languages still supported should more than cover the common languages spoken around the globe. You will need to update your language packs!
  • Although we've given this release extensive testing, it is still possible you run into some website compatibility issues (usually because of websites doing useragent sniffing) and e.g. some sites displaying a mobile version if they do not recognize or incorrectly recognize the new browser engine. Please always try contacting the webmasters first before posting support requests at our address, since this is usually not something we can provide solutions for, ourselves, and we end up having to redirect you anyway.
  • Fixes/changes:
  • The layout parser/renderer has received many updates with this change over to Goanna, improving web compatibility and standards compliance in many areas.
  • The browser user interface has received updates, making it more compatible with Windows 10 in many respects and more in line with the general styles of the operating system version it is run on in terms of the shapes of controls and color setting.
  • Updated graphics/media support: Pale Moon now supports the WebP image format, properly scales EXIF rotated JPEGs, has updated support for different WebGL texture formats, improved scaling of vector images, updated libpng, libjpeg-turbo, libvpx, and misc other upstream libraries/modules, and more!
  • Library changes:
  • The library now has a scope bar (pops up when searching) with the option to select what you want to search in (either bookmarks or history) and the option to save your searches.
  • By default, there will be a history menu drop-down in the browser's user interface next to the bookmarks one.
  • Added "Containing folder" and "Containing folder path" columns so you can see exactly where a bookmark is located at a glance when searching (after enabling the columns).
  • Added support for Ruby annotations. If you need this functionality, set the about:config preference browser.ruby.enabled to true, and restart the browser.
  • Added conservative image decoding: it will now only decode images that are (almost) in view, greatly improving overall memory use and initial loading of graphics-heavy pages.
  • Aligned 3D CSS transforms and perspective with the spec.
  • JavaScript improvements: added basic support for ES6 Promises, added element.matches(), updated property assignments, added Bin/Oct literals in Number(), improved performance of TypeOf calls, improved GC memory shrinking, improved memory allocations, improved RegEx performance and compatibility, and more!
  • Added CSS media queries to determine the OS the browser is running on, allowing theme designers to make specific changes based on OS at run-time.
  • Added a control preference for onunload= events as dom.disable_beforeunload. This allows you to completely disable events fired when leaving a page.
  • Changed the memory allocator to the (faster) system allocator on modern operating systems.
  • Improved the handling of very large numbers of tabs.
  • Added Ecosia as a "green" search engine alternative for the environmentally aware surfer.
  • Autoplay of media now has a separate control preference for scripted content as media.autoplay.allowscripted, to block script-initiated autoplay of media.
  • Security updates:
  • Added support for 128-bit Camellia-GCM ciphers in addition to the existing CBC ciphers to offer a more internationally diverse choice of secure encryption ciphers than just AES.
  • Added an advanced, active XSS (cross-site scripting) filter. Pale Moon will now check for XSS attacks and block XSS content in the resulting pages. This is brand-new technology and feedback on this filter specifically (e.g. bugs, false positives, etc.) should be posted in the dedicated thread on the forum for this feature. Please also see that thread for details on how to use and control this filter.
  • Distrusted several root certificates in accordance with security best practice.
  • Aligned cookie acceptance with RFC 6265 §4.1.1. We still make an exception for allowing spaces and double quotes in cookie values, but this will be made more strict in the future for full spec compliance. If you are a web designer and use cookies, please verify that you are RFC compliant in terms of both cookie names and cookie values, or the browser may reject them.
  • Removed several hazardous modules like the maintenance service and the identity module.
  • Ported all security updates from Mozilla that are applicable/relevant to our code base (up to and including all security issues made known to us until now). Considering v26 has been kept updated over its long development until release, the list of fixes/CVEs would be too exhaustive to list in these release notes individually.



Veranderingen voor v25.8.0 - v25.8.1

  • Fix for a crash that could occur at random since the update to 25.8.0.
  • Fix for CSP (Content Security Policy) to be more lenient towards the incorrect passing of full URLs with all sorts of parameters in the CSP header, leading to misinterpretation of the header and incorrectly blocking the loading of content.



Veranderingen voor v25.7.3 - v25.8.0

  • This is a security, stability and usability update.
  • Fixes/changes:
  • Updated LibVPX to 1.4.x to be able to play more kinds of VP9-encoded videos.
  • Updated the JPEG decoder library to 1.4.0.
  • Fixed and cleaned up XPCOM timer thread code to avoid intermittent issues with events not firing (especially after stand-by).
  • Updated overrides to work around issues with Facebook and Netflix.
  • Fixed an issue where too-old system-supplied NSPR and/or NSS libraries would be accepted for use.
  • Security fixes:
  • Updated the libpng library to 1.5.24 to address critical security issues CVE-2015-7981 and CVE-2015-8126
  • Updated the NSPR library to 4.10.10 to address several security issues.
  • Updated the NSS library to 3.19.4 to address several security issues.
  • Fixed a memory safety hazard in SVG path code (CVE-2015-7199).
  • Fixed an issue with IP address parsing potentially allowing an attacker to bypass the Same Origin Policy (CVE-2015-7188).
  • Fixed an Add-on SDK (Jetpack) issue that would allow scripts to be executed despite being forbidden (CVE-2015-7187).
  • Fixed a crash due to a buffer underflow in libjar (CVE-2015-7194).
  • Fixed an issue for Android full screen that would potentially allow address spoofing (CVE-2015-7185).
  • Added size checks in canvas manipulations to avoid potential image encoding vulnerabilities like CVE-2015-7189. DiD
  • Fixed potential information disclosure vulnerabilities through the NTLM authentication mechanism. Insecure NTLM v1 is now disabled by default, and the workstation name is set to WORKSTATION by default (configurable with a preference for environments where identification of workstations is done by actual reported machine name). This avoids issues like CVE-2015-4515.
  • Fixed a potentially vulnerable crash from a spinning event loop during resize painting. DiD
  • Fixed several Javascript-based memory safety hazards. DiD
  • DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.



Veranderingen voor v25.7.2 - v25.7.3

  • This is a usability update needed due to the fact that Mozilla has shut down they key exchange (J-PAKE) server along with the old Sync servers. This was unexpected and required us to set up our own key server (testing indicates this works as-expected, but please do report any issues on the forum) - which also required reconfiguration of the browser.
  • Please note that older versions of the browser will no longer be able to link devices to a sync account using the 12-character code since it requires a Mozilla server no longer present. If you need this functionality, you must update to this version or later.



Veranderingen voor v25.7.1 - v25.7.2

  • Fixed a critical hang caused by recursive reloads that might happen in iframes if its hash changed.
  • Fixed a critical hang caused by lazy-loading of stylesheets through a specific web programming technique as advocated by Google's PageSpeed.



Veranderingen voor v25.6.0 - v25.7.1

  • This is a security, stability and web-compatibility update. This also marks a security update for the Android version of Pale Moon to keep users of the otherwise currently unmaintained OS updated regarding known security vulnerabilities.
  • Fixes/changes:
  • Code cleanup: Removed the majority of remaining telemetry code (including the data reporting back-end and health report) to prevent a few issues with partially removed code in earlier versions.
  • Fixed a crash due to handling of bogus URIs passed to CSS style filters (e.g. whatsapp's web interface).
  • Permitted spec-breaking syntax in Regex character classes, allowing ranges that would be permitted per the grammar rules in the spec but not necessarily following the syntax rules. This impacts a good number of (also higher profile) sites that use invalid ranges in regular expressions (e.g. Cisco's networking academy site, Yahoo Fantasy Football).
  • Fixed a crash due to the newly introduced WASAPI handling of audio channel mapping that doesn't like actual surround hardware setups (e.g. playing a video with quadraphonic audio on a 4-speaker setup).
  • Fixed an issue where site-specific dictionary selections would be written to content preferences without the user's action, potentially overwriting or clearing a previously-chosen dictionary.
  • Added support for drag and drop of local files from sources which use text/uri-lists. (Some Linux flavors/file managers)
  • Updated libnestegg to the most current version.
  • Fixed an issue where setting the location to an empty string could cause a reload loop.
  • Security fixes:
  • Changed the jemalloc poison address to something that is not a NOP-slide. DiD
  • Fixed a memory safety hazard in ConvertDialogOptions (CVE-2015-4521)
  • Fixed a buffer overflow/crash hazard in the VertexBufferInterface::reserveVertexSpace function in libGLES in ANGLE (CVE-2015-7179)
  • Fixed an overflow/crash hazard in the XULContentSinkImpl::AddText function (CVE-2015-7175)
  • Fixed a stack buffer overread hazard in the ICC v4 profile parser (CVE-2015-4504)
  • Fixed an HTMLVideoElement Use-After-Free Remote Code Execution 0-day vulnerability (ZDI-CAN-3176) (CVE-2015-4509)
  • Fixed a potentially exploitable crash in nsXBLService::GetBinding
  • Fixed a memory safety hazard in nsAttrAndChildArray::GrowBy (CVE-2015-7174)
  • Fixed a memory safety hazard for callers of nsUnicodeToUTF8::GetMaxLength (CVE-2015-4522)
  • Fixed a heap buffer overflow/crash hazard caused by invalid WebM headers (CVE-2015-4511)
  • DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.



Veranderingen voor v25.6.0 - v25.7.0

  • Fixes/changes:
  • Code cleanup: Removed the (otherwise unused) visual event tracer code.
  • Code cleanup: Removed reflow performance tracing code (telemetry).
  • Fixed a key JavaScript bug where defining properties on an object would wipe the object.
  • This seems to be a common issue with "modern" libraries that use "define" instead of "change" and expecting the other properties on the object to be retained, resulting in "x is undefined" errors all over the place if the object is wiped.
  • This aligns the behavior with ES6's "Validate and apply property descriptor" pseudo-function.
  • Updated the SQLite library to 3.8.11.1.
  • Added support for the element.matches() Web API function.
  • Added support for BASE tag parsing in source view. Previously, when viewing the source of a document, clickable links would be incorrect if a base path was specified in the document with this tag.
  • Fixed an issue with running timers after the computer would have been put to sleep with the browser opened.
  • Security fixes:
  • Added protection against potential bugs where our SVG mPositions is out of sync with the characters in the DOM. DiD
  • Fixed use-after-free vulnerability in XMLHttpRequest::Open() (CVE-2015-4492)
  • Fixed use-after-free vulnerability in the StyleAnimationValue class (CVE-2015-4488)
  • Fixed crash or memory corruption in nsTArray (CVE-2015-4489)
  • Fixed crash or memory corruption in nsTSubstring::ReplacePrep (CVE-2015-4487)
  • Fixed potential escalation of privileges or crash (out-of-bounds write) via a crafted name in MARs (x64 only) (CVE-2015-4482)
  • Fixed an issue that would allow man-in-the-middle attackers to bypass a mixed-content protection mechanism via a feed: URL in a POST request. (CVE-2015-4483)
  • DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.



Veranderingen voor v25.5.0 - v25.6.0

  • Fixes/changes:
  • Canvas anti-fingerprinting option: Pale Moon now includes the option to make canvas fingerprinting much more difficult. By setting the about:config preference canvas.poisondata to true, any data read back from canvas surfaces will be "poisoned" with humanly-imperceptible data changes. By default this is off, because it has a large performance impact on the routines reading this data.
  • Added a feature to allow icon fonts to be used even when users disallow the use of document-specified fonts. This should retain full navigation for icon-font heavy websites (no more dreaded "boxes" with hex codes) when custom text fonts are disabled.
  • Added a feature to prevent screen savers from kicking in when playing full-screen HTML5 video. This is currently not yet operational on Linux because of stability issues we've run into on that OS, but Windows should properly benefit from this change.
  • The "autocomplete=off" parameter for signon forms is now completely ignored by default, to keep the user in control of their browser's behavior and allowing credentials to be saved if wished. If you prefer the previous behavior, allowing a website to determine whether autocomplete should be allowed or not, then change the about:config preference signon.ignoreAutocomplete to false.
  • Reinstated the packaging of pre-compiled scripts in the browser. Hopefully this will fix the reports by some users who found that initial start-up after installation/upgrade of the browser was unacceptably slow. Unfortunately this means a slightly larger download/install size as a trade-off.
  • Added the option to use Chrome://../skin/ overrides, in effect allowing the use of "Icon themes"; toolbar icon replacements to customize your browser icons without the need for any CSS or full-blown theming.
  • Added a count for the number of matches in the find bar. it will now list the total number of matches found, and which match is the currently highlighted one.
  • Fixed the issue where highlighted words after finding and highlighting them all in a page would remain highlighted when closing the find bar.
  • Added support for CSP 'nonce' keywords (CSP 1.1/2.0). Please note that this is still experimental and may not work 100% as-expected. Please report any bugs you may find.
  • Aligned CSP more with the spec in terms of reporting and case-sensitivity of matches, and made it more app-friendly.
  • Added -moz-os-version selectors for @media CSS queries to simplify theming on different operating systems (esp. Windows).
  • Updated and improved several languages for the Status Bar code, and added Slovenian.
  • Fixed an issue in the internal updater window not showing proper language strings.
  • Fixed an issue where the unexpected use of "backface-visibility" on non-3D transformed elements (like the body) would break positioned elements on web pages.
  • Fixed text positioning in the combobox display area when a non-default height is set for the combobox.
  • Fixed a crash caused by bad Opus audio encoding in media files.
  • Fixed a crash when trying to measure memory in about:memory while playing video.
  • Fixed a rare crash in sLayersAccelerationPrefsInitialized
  • Fixed miscellaneous other crashes.
  • Fixed a DNS prefetching issue for the people using this feature.
  • Fixed an issue with single-word searches from the address bar when a proxy is in use.
  • Fixed a number of build issues on Linux when using system libs.
  • Added support for link-time optimization on newer Linux compilers.
  • Removed more telemetry code (ongoing project!).
  • Security fixes:
  • Fixed a memory safety bug due to a bad test in nsZipArchive.cpp (CVE-2015-2735).
  • Fixed a memory safety bug in nsZipArchive::BuildFileList (CVE-2015-2736).
  • Fixed a memory safety bug caused by an overflow in nsXMLHttpRequest::AppendToResponseText (CVE-2015-2740).
  • Fixed a Use After Free in CanonicalizeXPCOMParticipant (CVE-2015-2722).
  • Fixed off-main-thread nsIPrincipal use of various consumers in the tree (only grab the principal when needed).
  • Fixed an issue where an IPDL message was sent off the main thread.
  • Fixed a potentially exploitable TCPSocket crash due to a race condition.



Veranderingen voor v25.4.1 - v25.5.0

  • Fixes/changes:
  • Logjam fix: Refuse DHE keys with less than 1024 key bits
  • Search plugin updates to re-enable Google suggestions and reduce tracking (Squarefractal)
  • Allow plugin-specific (.dll based) OOPP overrides also for npswf. This will not be used for the "master switch" for OOPP and Flash will still be in the plugin container, unless a specific dom.ipc.plugins.enabled.npswf*.dll boolean is set to override.
  • Fixed a crash during WebGL Conformance Tests for undefined indices (Toady)
  • HSTS preload list updates (Squarefractal)
  • Status bar locale addition: cs
  • Implemented a fix for the toolkit update service so that the same version as the current application will not be offered as a valid update (Tobin)
  • Reorganized the AppMenu (give equal ease for windowed and tabbed browsing, deprioritize Sync)
  • Disabled the Sync promo box in doorhangers.
  • Updated libpng to version 1.5.22
  • Fixed support for builds using newer freetype on Linux. (Axiomatic)
  • Fixed --with-system-pixman builds. (Isaac Dunham)
  • Updated SQLite to version 3.8.10.1
  • Changed the after-upgrade page loaded to the release notes instead of the home page.
  • (and hoping people actually do take a moment to read them, preventing unnecessary support requests)
  • Fixed navigator.geolocation - should never be null, to properly adhere to the specification (Travis)
  • Moved paintlock event delay to greprefs, and adjusted it for 2015's heavier sites
  • Fixed the about dialog scripting for pre-release builds (includes build date now as-intended and no longer errors the script)
  • Reorganized how pushed floats are handled in layout flow
  • Implemented a change to run the updater from the install directory instead of copying it.
  • Fixed transparency of the Pale Moon document icon for 256x256
  • Updated padlock code:
  • - Added mixed-mode shading, and reorganized shading pref values more logically
  • (0=off, 1=secure only, 2=secure+mixed, 3=all)
  • - Cleaned up CSS
  • - Cleaned up padlock logic a little
  • Hard-coded internal UA sniffing values for the extension legacy of devtools
  • Updated NSPR to 4.10.8
  • Updated the NSS security lib to 3.19-RTM + re-worked Pale Moon changes
  • Bumped the built-in site-specific UA compat mode overrides to v38
  • Fixed a compressed-cache crash due to losing our cache entry while finishing up compression.
  • Updated and patched libcubeb, the main media sound library, to fix a number of audio issues (e.g. when switching output device) and audio-related crashes
  • Added the option to load modules into a named scope (see issue #88)
  • Removed quick access keys for buttons on the updater window (since it may pop up unannounced when people are typing, causing them to make unintended choices)
  • Updated jemalloc and mozjemalloc memory allocator libraries to improve performance
  • Removed implicit access to a whole range of internally-used interfaces and classes that page content has no business calling anyway
  • Added a preference for always preferring a certain dictionary language.
  • To use this, create a new preference spellchecker.dictionary.override (string) and set it to your language code.
  • More information about changes in this version that would be important for extension developers and web programmers can be found here.
  • Security fixes:
  • Fixes for miscellaneous memory safety hazards (relevant and applicable fixes from CVE-2015-2708 and CVE-2015-2709)
  • DiD (defense-in-depth) fix to prevent potential overflows in CSS restyling
  • Fix for updater hijacking (CVE-2015-2720)
  • Fix to prevent potential disclosure of sensitive information in Android logs (CVE-2015-2714)
  • Fix for a buffer overflow in the XML parser (CVE-2015-2716)
  • Fix for a potentially exploitable crash in DNS handling



Veranderingen voor v25.4.0 - v25.4.1

  • This is a small but important update to the previous major release to address some critical issues:
  • Fixed loss of the browser's disk cache on startup due to incorrect corruption detection logic
  • Fixed a browser crash on some HTML5 games



Veranderingen voor v25.3.2 - v25.4.0

  • Fixes/changes:
  • Updated SQLite from 3.7.17 to v3.8.8.3, improving history/bookmark/etc. performance by up to 50% depending on operation
  • Added a new "mixed-mode" state for HTTPS connections. Clarified mixed-mode connections with a mixed-mode padlock and better tooltips.
  • Added a conditional partial shading to the URL bar and made it default (shading only on secure sites, no red shading at all by default).
  • Dev: Fixed file system mode flags for *nix systems, to make executable files like scripts actually flagged as executable
  • Added native IPv6 lookups to NSPR to solve IPv6-only and dual-stack setups in some situations
  • Added a pref to control the unloading of idle plugins from memory and lowered the default "idle" time to 60 seconds before plugins are unloaded
  • Fixed version strings for e.g. flash on Linux being displayed with commas instead of periods - this should also fix the incorrect "your plugin is vulnerable" message while being on the latest version
  • Windows: Set the double-click/Ctrl+arrow word selection to not eat the space (only select the actual word)
  • Android: DNS fix for VPN connections, preventing the "server not found" issues people have been reporting for certain VPN providers on mobile
  • Updated a number of trusted root certificates, and distrusted the CNNIC root certificate by popular demand
  • Linux: Worked around the slice memory allocator not being properly disabled on later GLib versions
  • Android: updated the random number generator handling on later versions of Android
  • Added fix to prevent spurious re-paints with plugins (performance/UX improvement)
  • Removed the plugin check link from the Addons Manager, since it's no longer reliable and not officially available for browsers except Mozilla Firefox. (Bonus: no user profiling/tracking through optimizely!)
  • Optimized the NSS callback for secure connections
  • Updated the domains that are whitelisted for installation of extensions/themes/personas, streamlining the use of addons.palemoon.org
  • Added personas support to titlebar text (adopt the lightweight theme's coloring/shading) in custom titlebar mode (Pale Moon appmenu/button)
  • Added display of HTTPS protocol (SSL/TLS) to the page info window (thanks Travis!)
  • Improved certificate display: Removed MD5 and added SHA256 fingerprint, and made them selectable/copyable
  • Updated classification of secure connections: Classify any encryption with less than 128 bits or including RC4 (if manually enabled, see previous version notes) as weak.
  • Dev: Added availability of the full ciphersuite string for use in extensions to the nsISSLStatus interface (nsISSLStatus.cipherSuite)
  • Added MAKE_UNLINKABLE to the about: page redirector and added that as default for the reader mode on Android
  • Removed the compilation and inclusion of a one-time-use pre-compiled startup cache in omni.ja, reducing overall application size significantly and avoiding a number of quirks of both the build process and the operation of the browser
  • Fixed an NVIDIA specific GLX server vendor bug for pixmap depth and fbConfig depth
  • Removed most telemetry code, reducing code complexity and wasted CPU
  • Linux: Added OSS support (mutually exclusive with ALSA): configure with --enable-oss
  • Made DNS caching a lot less aggressive to align the browser's behavior with the dynamic nature of the modern web.
  • Removed Mozilla-specific parameters for searches. Search suggestions should now work again for Google searches
  • Added the option to allow users to use a fixed (JSON) file-based geolocation response in favor of a GeoIP service.
  • Dev: Improvements to Clang builds (thanks Axiomatic/BitVapor!). Clang is not currently producing stable builds on Linux, so please use GCC for that operating system.
  • Linux: removed GnomeVFS that's no longer in use
  • Fixed the "double padlock while loading a secure site" niggle in the UI
  • Dev: added allowance of using -moz-appearance:none on drop-down lists to hide the arrow button (catering to custom styling of the control)
  • Added some more ES6 math/number functions:
  • Implemented Math.fround(x)
  • Implemented Number.isSafeInteger(x)
  • Implemented Math.clz32(x)
  • Security fixes:
  • Fixed several memory safety hazards (UAF/DF/UU); applicable bugs covered by CVE-2015-0815 and CVE-2015-0815
  • Fixed CVE-2015-0811 [qcms] heap info leak
  • Fixed CVE-2015-0810 clickjacking attacks via a Flash object in conjunction with DIV elements
  • Fixed CVE-2015-0801 a variant of CVE-2015-0818
  • Fixed CVE-2015-0800 improve randomness of DNS resolver queries on Android
  • Fixed CVE-2015-0798 access to privileged URLs through about: redirector



Veranderingen voor v25.3.1 - v25.3.2

  • This release is an emergency update to fix crashes that started occurring because of Mozilla improperly signing the extensions and extension updates as offered through the Firefox Add-ons site addons.mozilla.org. Any improperly signed extension would not be able to be installed, and would immediately crash the browser.
  • No other changes were made in this release - this is a bugfix for this particular issue only.



Veranderingen voor v25.3.0 - v25.3.1

  • Fixed security vulnerability CVE-2015-0818. This vulnerability would allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving SVG hash navigation.
  • Fixed IPv6 DNS resolution regression in some less common cases.



Veranderingen voor v25.2.1 - v25.3.0

  • Fixes/changes:
  • Overhauled WebGL. It now properly supports depth textures, shadow mapping and glow shaders.
  • Note that older operating systems or older/embedded video processors may be limited in their support of these features.
  • Updated the ANGLE library to a much more current version.
  • Removed the crash reporter code completely to improve overall browser responsiveness and operation.
  • Please note that a necessary victim of this has been the in-browser (devtools) SPS profiler because of its reliance on crash reporter data-gathering tools.
  • Removed the Mozilla Plugin Finder Service (no longer in use @Mozilla).
  • Android: removed the Mozilla "product announcements" service.
  • Re-added control of the number of concurrent tabs to be restored from a session with browser.sessionstore.max_concurrent_tabs (accepted values 1-10)
  • Significantly improved performance and accuracy of date/time/timer handling.
  • Significantly improved performance of the creation of DOM elements with plain text content.
  • Added several significant performance optimizations for arrays and strings in javascript.
  • Added several code performance optimizations and bugfixes in SVG, the presentation shell, SCTP, style gradients and CSS parsing routines. (Thanks, Axiomatic!)
  • Added an "Open link in current tab" context menu entry on links for UI consistency.
  • Updated styling of the browser with personas (lightweight themes) once more to improve display in tabs-on-top mode, improve overall legibility of tab text, and display of inverted close buttons on some controls on dark personas.
  • Added a special case check for the Flash plugin version check on Linux failing due to commas instead of periods in the version string.
  • Added Windows 10 compatibility in executable manifests.
  • Android: Fixed a crash on GL canvas surfaces.
  • Fixed incorrect Sync "howto" instruction links from the Sync dialogs.
  • Fixed the color of selected tabs in Linux when personas (lightweight themes) are in use that do not match the overall tone of the OS system theme.
  • Fixed a bug where a variable in parentheses would abort Javascript parsing.
  • Fixed a bug where the address bar would incorrectly be cleared.
  • Fixed padding issues for dropdown lists.
  • Fixed DNS lookups so proper record types are requested for IPv4 and IPv6.
  • Security fixes:
  • Disabled all RC4-based encryption ciphers by default. [More info]
  • Fixed several miscellaneous memory safety hazards.
  • (applicable bugs related to CVE-2015-0835 and CVE-2015-0836)
  • Fixed loading of locally stored DLL files through the internal updater. (CVE-2015-0833)
  • Fixed a potential crash point in IndexedDB. (CVE-2015-0831) DiD
  • Fixed a double-free situation when using non-default memory allocators and a 0-length XHR. (CVE-2015-0828)
  • Note: production builds of Pale Moon were never vulnerable.
  • Fixed a crash using DrawTarget in the Cairo graphics library. (CVE-2015-0824)
  • Fixed potential reading of local files through manipulation of form autocomplete. (CVE-2015-0822)
  • Fixed a potential PNG heap-overflow crash. DiD
  • Followed up on research regarding CVE-2014-8639 (see 25.2) and made cookie handling through proxies more restrictive again.



Veranderingen voor v25.2.0 - v25.2.1

  • This is a small update to address cookie handling through proxies causing issues for some authenticating proxies in corporate environments



Veranderingen voor v25.1.0 - v25.2.0

  • This is an important update after rapid development on the back-end to extend browser capabilities and implement some ES6 draft functions for web programmers, as well as provide some important crashfixes, bugfixes and security updates.
  • Fixes/changes:
  • ES6: Added the following functions:
  • Array.prototype.find and Array.prototype.findIndex
  • IsConstructor(arg)
  • Array.of(items...)
  • Number.parseInt and Number.parseFloat
  • Advanced math functions: hyperbolic sin/cos/tan/asin/acos/atan, hypotenuse, cube root, expm1, log1p, log10, log2, sign and trunc
  • Map.prototype.forEach and Set.prototype.forEach
  • ES6: Added the following number constants: EPSILON, MIN_SAFE_INTEGER and MAX_SAFE_INTEGER
  • ES6: Added the use of binary and octal numeric literals (&b... and &o...)
  • ES6: Updated behavior of accessing indexed values in accordance with the spec.
  • CSS: Added overflow-clip-box:content-box|padding-box
  • DOM: Added table.createTBody() function
  • Added a clearer alltabs button for dark personas.
  • Added a development tools toggle hotkey (F12)
  • Added a preference prompts.tab_modal.focusSwitch to enable or disable tab switching when a modal dialog (e.g. javascript confirmation) is presented in a page.
  • IonMonkey on Android: fixed the implementation of AbsI.
  • IonMonkey: fixed a bug where actively used objects were discarded.
  • Fixed register initialization to prevent incorrect detection of SIMD instructions on some CPUs.
  • Optimized some loops in the spell checker to increase performance.
  • Simplified cache handling, updated cache parameters to better reflect current web use, and enabled automatic cache sizing by default.
  • Adjusted memory cache sizing to better reflect capacities of current hardware.
  • Updated UserAgent override workarounds for Netflix and FaceBook to fix some site issues.
  • Aligned programmatic access to geolocation with the spec.
  • Fixed a crash when being fed a data file (XML) with too deeply nested tags.
  • Fixed a crash in HTML5/WebAudio that affected some games.
  • Fixed a crash when programmatically collapsing elements.
  • Fixed a few non-breaking bugs related to e10s code.
  • Fixed text input/padding issues.
  • Updated surround downmixing code for Vorbis.
  • Improved tolerance in WebAudio for loading multichannel audio files.
  • Android: Fixed an issue with Flash, it should now run on more devices.
  • Updated the DDG search plugin to make the actual query be the last parameter in the address bar for easy editing after a search has been performed.
  • Removed some unused update channel code.
  • Updated branding to more clearly indicate Pale Moon's trademark.
  • Updated some licensing texts in-browser to properly reflect used code and rights.
  • Security/privacy fixes:
  • Added a preference network.stricttransportsecurity.enabled to enable or disable the use of HSTS (HTTP Strict Transport Security), allowing users to choose between privacy and security in this matter. (hidden pref)
  • Fixed CVE-2014-1589 by whitelisting XBL bindings that may be applied to untrusted content.
  • Important: extension developers should read this related thread.
  • Fixed CVE-2014-1593.
  • Mac: fixed CVE-2014-1595.
  • Fixed CVE-2014-8639 by adjusting cookie handling through proxies.
  • Fixed CVE-2014-8636.
  • Fixed several memory safety hazards that do not have CVE numbers.



Veranderingen voor v25.0.2 - v25.1.0

  • This is an important update after rapid development on the back-end to keep pace with the current changes on the web and improve compatibility with websites.
  • Fixes/changes:
  • New feature: multi-line flexbox support.
  • Pale Moon now supports more advanced multi-line and multi-column flex elements. This will allow websites to use these elements for easier responsive design of web pages and ordering/layout of multiple elements. This has been on Pale Moon's to-do list for a while but was rather complex to tackle, hence the delay in implementation. This should address layout issues on several recently-updated websites (e.g. the MSN home page).
  • New feature: added support for collapsed flex element items.
  • Enhanced feature: Content Security Policy (CSP)
  • Pale Moon now fully supports the CSP 1.0 specification allowing websites to set restrictions on content to prevent XSS (Cross-site scripting) attacks. Previously, the implementation in Pale Moon was partial, and did not support a number of features, resulting in some websites not rendering properly because Pale Moon was being too strict in enforcing the policy. This should address issues on websites enforcing CSP (e.g. the Dropbox web interface and FaceBook galleries).
  • New feature: added support for iframes with inline content.
  • Updated the Firefox Compatibility mode version to 31.9.
  • With the improvements in rendering and overall feature set, the Firefox Compatibility mode (as presented in the UserAgent string) has been bumped to prevent websites from complaining about "using a too old/unsupported version of Firefox" (e.g. Google websites).
  • Pale Moon no longer builds the so-called "media navigator" by default.
  • This module provides access to the user's webcam and microphone. Although it can be used for other purposes, in practice this is only used for WebRTC and, in fact, its support (GetUserMedia) is often mistaken for actually supporting WebRTC in a browser (causing errors since Pale Moon does not support WebRTC). No longer including these features reduces input complexity and overhead for a feature not actively used. This also circumvents privacy concerns/confusion like CVE-2014-1586.
  • Improved tab handling on lightweight themes (personas) some more to enhance contrast on certain themes and to make the tab hover effect slightly more distinct.
  • Fixed oversized/blocky menu arrows on Windows 8.1 in HiDPI mode.
  • Fixed incorrect operating system being passed on to addons.mozilla.org.
  • Fixed an error being thrown in the error console/web console when opening a new window.
  • Removed the NVidia 3D Vision auxiliary utility library.
  • This library has been the likely cause for a number of crashes on NVidia cards, and is completely unnecessary for Pale Moon.
  • Made the installer less aggressive for file type associations, to prevent "stealing" of globally associated file types.
  • Android: improved restoring of session tabs.
  • Android: added an option to automatically restore tabs.
  • An important thing to note with this new option is the following: with the option enabled, Pale Moon will now automatically restore tabs you had open previously when the app gets suspended (pushed out of memory by other apps, closed by swipe, etc.). The "quit" main menu option, however, completely shuts down your session, unloads Pale Moon from active memory, and tabs will not be automatically restored when you launch Pale Moon again. This is by design. To restore tabs in that situation, use the link from the home screen.
  • Fixed memory security hazards CVE-2014-1574 and CVE-2014-1575 security fix
  • Fixed CVE-2014-1581. security fix
  • Fixed bug 1069584: Bail if a cairo surface is in an invalid state. security fix
  • Made sure to initialize surfaces for draw targets. security fix
  • Fixed bug 1074280: Use AsContainerLayer() in order to avoid a bad cast. security fix
  • Fixed several problems in the HTML parser. security fix
  • Improved security of XHR by filtering out types of requests that can potentially be abused. security fix



Veranderingen voor v25.0.1 - v25.0.2

  • Fixes/changes:
  • Added a "Firefox compatibility mode" selection in Options -> Advanced.
  • This mode is enabled by default (reluctantly so), because too many websites (including some very big players who, themselves, promote an Open Web...) still use very poor browser detection methods based on arbitrary User Agent string comparisons, not catering to alternative browsers, and the resulting user experience being poor (being presented with mobile site layouts, broken pages, or even being flat-out refused service because someone exercises freedom of choice for web browser used). This should alleviate most, if not all, issues with browser-discriminating websites.
  • Improved active tab display on particularly dark personas.
  • People using "black" personas/lightweight themes should now have a lot less difficulty distinguishing the active tab.
  • Disabled SSL 3.0 by default (to put a muzzle on the POODLE).
  • Please note that this may cause issues with some poorly configured web servers (usually ones with a hopelessly broken security setup that do not support TLS 1.2 or secure (re)negotiation of the protocol).
  • Fixed add-on update issue (that was preventing update checking through addons.palemoon.org).
  • Fixed the redundant redundancy in asking redundantly if the browser would be allowed to ask to install an extension when not on addons.mozilla.org.
  • Fixed the internal UA-sniffing insanity that broke devtools in a few different and colorful ways.



Veranderingen voor v25.0.0 - v25.0.1

  • Update of the add-on SDK to add missing "Pale Moon" engine entries to lists. This should fix extension compatibility issues for jetpack extensions that otherwise already work with the new GUID.
  • About box release notes link corrected
  • Fix for VP9 decoder vulnerability security fix
  • Fix for direct access to raw connection sockets in http security fix
  • Fix for unsafe conversion to JSON of data through the alarm dom element security fix
  • Update of NSS to 3.16.2.2-RTM security fix



Veranderingen voor v24.7.1 - v24.7.2

  • This is a small bugfix and security update.
  • Fixes/changes:
  • Use (i) icon for error console informational messages instead of (?)
  • Properly derive and insert the host of a URL security fix
  • Avoid negative audio ratios. security fix
  • Release XPCOM timer immediately after firing to prevent a race condition.
  • Add is-object check to IonBuilder::makeCallHelper. security fix



Veranderingen voor v24.6.2 - v24.7.0

  • Fixes/changes:
  • Fixed some performance issues with the new rendering engine on Windows. Rendering should be faster for all objects on hardware-accelerated layers now.
  • Font rendering on Direct2D will no longer fall back to greyscale in some situations, preserving ClearType.
  • CSS outlines will now properly outline the object, and not the overflow area (e.g. box shadow).
  • The delay for hiding the default status has been increased from 10 to 30 seconds to keep it on screen sufficiently long but not permanently.
  • Queries for "can play type" on WebM videos now get an HTML5-compliant response ("maybe" instead of "yes" as per the specification when a codec is not included in the request).
  • Pale Moon's gecko rendering engine and Firefox compatibility version now properly follows the minor version of Pale Moon again instead of always returning .0 - this should help UA sniffing websites to more easily detect Pale Moon or adapt to further-developed gecko 24 versions.
  • When using dark/black personas (lightweight themes), the tab close buttons would be almost invisible. They have been lightened a little to make them clearer.
  • Linux: the click behavior on the address bar has been unified with that on Windows, aiming for current-day desktop-clipboard use (select-when-clicked). This is configurable with a preference.
  • "In-content" preferences (preferences displayed in a tab instead of the normal dialog box) has been removed because of redundancy and incompleteness.
  • Checking for updates from the about box now always puts the user in control and never downloads anything directly from the about box. It will pop up the larger update window when an update is found.
  • Google SafeBrowsing, which is defunct, has been removed from the browser. privacy fix
  • Made the building of the Web Developer tools optional when compiling Pale Moon through --disable-devtools.
  • The Atom-optimized version no longer ships with the Web Developer tools to slim down the browser for limited platforms where these tools are considered generally unneeded.
  • Fixed domain highlighting in the address bar. It should no longer randomly lose this formatting when switching tabs or otherwise updating the browser UI.
  • Fixed missing click-to-play overlay on some zoom levels for plugins embedded in an iframe.
  • Fixed large delays in print enumeration on Windows, especially when printing to file: ports.
  • Updated the list of known domain suffixes.
  • Updated site-specific user-agent strings to prevent incorrect complaints from websites (google.com, aol.com, etc.) that use poor detection scripts.
  • Added granular referer control. See the release announcement on the forum for more details on how to use this.
  • Added gr locale to the status bar options.
  • Disabled HQ image downscaling. This is a workaround for the broken Mozilla HQ downscaling back-end causing constant invalidations and redrawing if 2 downscaled images with the same source were in view.
  • Updated the NSS library to 3.16.2 RTM to address a few critical SSL issues. security fix
  • There was a possibility to lose the source frame for raster images if images had to be discarded in low-memory situations. This has been fixed. security fix
  • Made refcounting logic around PostTimerEvent more explicit. security fix
  • Prevented an invalid pointer state in docloader. security fix
  • Added proper refcounting of font faces. security fix
  • Android: lots of branding updates to make it more release-ready.
  • Android: explicitly set the Pale Moon Sync server in preferences.
  • Android: IonMonkey (ARM): guarded against branches being out of range and bail out if so. security fix
  • Android: enabled Firefox compatibility mode on Android to allow the installation of extensions from AMO.
  • Android: added a "Quit" option to the app menu to properly immediately close the browser.
  • Android: IonMonkey (ARM): prevented a performance issue due to clobbering the primary scratch register.
  • Android: enabled mobile-specific optimizations to increase performance on mobile devices.
  • Android: enabled AES-128 and AES-256 in addition to RC4 for Sync.



Veranderingen voor v24.6.1 - v24.6.2

  • A point release to address some further outstanding issues with the overhauled rendering engine.
  • Fixes/changes:
  • Automate rendering back-end selection and use cairo as appropriate.
  • This should fix start-up problems on all types of graphics cards regardless of vendor.
  • Fix font subpixel rendering in menus when on cairo backend (D2D off)
  • Cairo: Prevent falling back to padding when not strictly needed.
  • Performance regression fix if D2D isn't used.
  • Azure: Use correct device offsets.
  • Prevent crashes due to the allocation of source surfaces to errored surfaces
  • This prevents some miscellaneous browser crashes occurring with cairo on azure.



Veranderingen voor v24.6.0 - v24.6.1

  • A quick point release update mainly to address startup crashes.
  • Fixes/changes:
  • Update to address startup crashes if users previously changed the setting for Azure for Content
  • Update for texture handling to restore GDI compatibility (should fix some graphics glitches)
  • Fix to handle invalid PDF plugin overlay state
  • Misc. additional security fixes ported over from Firefox (bug #s 991981, 995679, 999651, 1009952, 1011007)



Veranderingen voor v24.5.0 - v24.6.0

  • Fixes/changes:
  • Allow animated personas (lightweight themes)!
  • You will need to set a preference for this, since enabling animated personas causes a small but noticeable performance loss upon start-up.
  • To enable animated personas, go to about:config and set lightweightThemes.animation.enabled to true, then reload your persona.
  • Fix regularly occurring browser crashes with hardware acceleration enabled on DirectWrite 6.2/6.3 (Win 7 with Platform Update, Windows 8/8.1).
  • Most notable on computers equipped with NVidia cards, this combination of hardware and software would be cause for regular but intermittent crashes due to an issue with hardware acceleration. As part of the overhaul, this should now be fixed.
  • Fix font rendering issues on DirectWrite 6.2/6.3, especially on legacy AMD hardware. (KB2670838 issues).
  • A very long-standing issue that was already partly mitigated in Pale Moon should now be completely eliminated as part of the overhaul.
  • Fix Windows version detection issues on Windows 8.1.
  • Since Microsoft changed basic parts of the Windows API in Windows 8.1, operating system detection would indicate an incorrect WINNT version number (6.2 instead of 6.3) on Windows 8.1. This would show in e.g. the UserAgent.
  • Shuffle reported plugin installation order to confuse trackers.
  • Part of browser fingerprinting is the reported installation order of installed plugins in browsers. Pale Moon will now shuffle the reported order of installed plugins when enumeration is asked for, which will make it more difficult for tracking sites to individually track you. Please do note that some of the "fingerprinting tests" out there will report you as more uniquely identifying, but that is by design! This mitigation is not reducing your entropy, it is increasing it - but providing a different fingerprint each time, invalidating the fingerprints of both your presence and others' for trackers.
  • Clean up jumplist icons so they no longer pile up on disk on some systems (also a privacy concern).
  • On some systems, jumplist shortcut icons would not be deleted properly, causing them to pile up in the jumplist cache folder. The problem with this is both disk space (you could have many thousands of icons) and privacy (the icons would have a date and time, and would visually indicate which sites were visited)
  • Change the sync server to a (new) Pale Moon sync server.
  • As part of rolling out Australis, the Mozilla Corporation decided to also push out a new version of Sync which acts more like Google Accounts/Chrome sync, requiring a "Firefox Account". This new sync (1.5) is not compatible with older versions of Firefox or with Pale Moon, and Mozilla will also be phasing the old sync service out on the short term. As a result, I've been forced to start providing my own sync service, which will now be the default choice when you set up sync in the browser. Please carefully read the terms of service if you intend to use it.
  • Update the status bar code: Full-screen HTML5 video will no longer have status pop-ups overlaid.
  • Full-screen HTML5 video would receive pop-up status messages (if the full-screen setting to that effect was enabled). This would detract from the user's viewing pleasure. Full-screen video will now get special treatment and suppress the pop-up status. Note that full screen pop-up status will still be enabled by default on other types of content (e.g. full-screen HTML5 image galleries, etc.), unless you explicitly disable it in the status bar options.
  • Add code to selectively ignore "autocomplete=off" on signon input fields.
  • A good number of sites have added a restriction on signon (login) input fields to prevent autocompletion storage of those fields' content, in an attempt to "increase security". A few issues with this:
  • By forcing people to type the password each time, people are likely going to choose short and weak passwords.
  • The premise behind it seems to be that the websites "do not trust password managers" that the user has installed. It's not up to a website to decide this; Pale Moon puts you back in control.
  • The argument that credentials are stored automatically and compromise users' security that way doesn't apply, since storing passwords in Pale Moon is always an opt-in choice.
  • Code has been added to selectively ignore this autocompletion restriction so the Pale Moon password manager can effectively do its job.
  • Linux: reduce gstreamer CPU overhead.
  • There have been reports of excessive CPU usage when using gstreamer video playback on Linux. This should now be fixed.
  • Fix styled HTML buttons to address misaligned button contents (wrong baseline).
  • There was a bug in the Firefox layout engine causing styled input form buttons (as used by e.g. the Google Accounts chooser) to be misaligned vertically, specifically if a height was explicitly defined on the control. This should now be fixed.
  • Fix an old IonMonkey bug resulting in incorrect math results in some cases.
  • Some vector operations would intermittently yield incorrect results if the IonMonkey JIT compiler was used to speed up execution. This has been a problem in IonMonkey for quite a while but the bug wasn't hit very often. This should now be fixed, and correct, repeatable results can be expected.
  • Improve the performance of editor initialization.
  • Slightly speed up initialization of the editor.
  • Update the Pale Moon icon for better display on lower color depths.
  • Thanks to the efforts of a fellow Pale Moon user, the Pale Moon windows icon file has received work to display better on low and medium color depth displays (e.g. over RDP or similar)
  • Media: use a simpler way to discard superfluous audio packets.
  • This should help against audio/video desynchronization in some rare cases.



Veranderingen voor v24.2.2 - v24.4.0

  • Bugfix: the new status bar code in 24.4.0 had a bug, preventing the downloads panel/window from opening when clicking on the download status indicator. There may have been a few other, similar small usability bugs in the same code that have now been fixed.
  • Feature update: Selecting "Warn me when closing multiple tabs" in the Options window will now apply both to closing a window and closing other tabs in the tab bar.
  • Bug #940714 - Add an RAII class to make synchronous raster image decoding safer.
  • Bug #896268 - Use a stateless approach to synchronous image decoding. security fix
  • Bug #982909 - Consistently use inner window when calling OpenJS. security fix
  • Bug #982957 - Fix crash if certain sweeps run out of memory. security fix
  • Bug #982906 - Remove option for security bypass in URI building. security fix
  • Bug #983344 - JavaScript: Simplify typed arrays and fix GC loops. security fix
  • Bug #982974 - Be paranoid about neutering ArrayBuffer objects. security fix



Veranderingen voor v24.2.1 - v24.2.2

  • Implementation of all remaining applicable security fixes from Firefox 26.0 that were not implemented yet in previous versions.
  • Update of the Security library (NSS) to 3.15.3.1.
  • Fix of new js zone writes/zone barrier bugs.
  • The Sync configuration allows users to input their own recovery key again. Please note that letting the browser generate its own secure recovery key is still strongly recommended, as this recovery key should be impossible to guess and of sufficient length and complexity to keep your data safely encrypted.



Veranderingen voor v24.2.0 - v24.2.1

  • Fix for some status bar localizations not working and giving an error.
  • Implementation of an optimized QuickFind routine.
  • Implementation of per-zone user data handling.
  • Security fix in the JPEG library.
  • Security fix in web workers.



Veranderingen voor v24.1.2 - v24.2.0

  • This update implements the following changes:
  • Update of the new-tab routine: When opening a new tab, focus will now only be on the address bar if you open a blank tab or the Quick Dial page, and focus will be on the page content otherwise (Pale Moon start page or custom URL).
  • Compatibility issues between QuickFind/Find-as-you-Type and HTML5 input fields in forms fixed.
  • New advanced feature: Later versions of the Firefox code will automatically place the browser window fully on a visible portion of the screen. If you prefer having the browser window positioned partially off-screen and want to prevent this automatic resizing and repositioning when starting a new session, create a new boolean preference in about:config called browser.sessionstore.exactPos and set it to true.
  • Updated the localization of the status bar code with the following locales: en-GB, es-MX, es-AR, it, pl.
  • Fix for a security issue with script event handlers.



Veranderingen voor v24.1.1 - v24.1.2

  • Update of the NSPR library to 4.10.2 RTM.
  • Update of the Security library (NSS) to 3.15.3 (alternative branch) to pick up a number of fixes.
  • Fix (finally) of the menu list of tabs when browser.allTabs.previews is set to false. It would stick the top entry, not properly highlight the selected tab, and would generally be unpleasant and stubborn when tabs were moved or closed. This should all be corrected now.
  • Additional feature: Previously, tabs would immediately resize to fill the tab bar when you would close them. Mozilla changed this a (long) while back to cater to "rapidly closing multiple tabs without moving the mouse" and to resize you have to move the mouse out of the tab bar. A good number of Firefox/Pale Moon users don't like this behavior, but the fix to make this configurable was in the end rejected by the Mozilla UX team, so I opted for my own implementation in Pale Moon. New pref: browser.tabs.resize_immediately - set this preference to true to immediately resize other tabs when closing a tab.
  • Many thanks to David for doing the required research for this feature!
  • Rework of the multi-core routine and removal of OpenMP code and the related library (Microsoft's implementation is old, limited, and won't be updated/improved; in addition it prevented some compiler optimizations that could now be used again).
  • The accessibility back-end for "Find as you type" has been disabled completely to prevent this setting from breaking websites with HTML5 input fields (not compatible with FAYT).



Veranderingen voor v24.1.0 - v24.1.1

  • address connectivity issues with web servers using depreciated encryption methods



Veranderingen voor v24.0.1 - v24.0.2

  • This is a small update to address an few issues with standalone images:
  • In some cases when having an image open, the User Interface would not properly redraw resulting in blank controls and tab headers.
  • In some cases, having an image open would cause 100% processor use on one core.
  • Drawing thumbnails of standalone images in the tab headers would often be slow and processor-intensive.



Veranderingen voor v24.0 - v24.0.1

  • Fix for unreadable address bar text when visiting a broken or mixed-mode SSL site.
  • Fix for an incorrect browser cache size default when first starting the browser. (regression)
  • Note: If you have used version 24.0, then please check your Options -> Advanced -> Network tab, and if the cache size is set to "1024", change it back to its default "250" to prevent unnecessary use of disk space and potential slowing of the browser.
  • Fix for themes not applying to Private Browsing windows. (regression)
  • A small update to the new icon to fix some visual issues with it.
  • Reduction of visual friction and CPU usage on some operations by disabling smooth scrolling on it by default (e.g. Home/End keys).



Veranderingen voor v20.3 - v24.0

  • Switch to a new Mozilla code base (Gecko 24.0).
  • Update of the Pale Moon icon/logo. Special thanks go to Roger Gómez del Casal for providing me with an interesting concept design image to use as a base for it!
  • Fixes for all relevant security vulnerabilities.
  • Many changes and updates in the rendering, scripting and parsing back-end to provide significant improvements in overall browser performance (including benchmark scores).
  • Addition of a number of HTML5 elements, improving overall HTML5 standards compliance.
  • Implementation of the webaudio API (most features that are no longer draft).
  • Removal of Tab Groups (Panorama). If you actively used this functionality, I have also made an add-on (Mozilla dev sourced) available to restore this feature to the browser.
  • Removal of a few additional Accessibility options.
  • Inclusion of an updated version of the Add-on SDK and loader to solve recent issues with SDK/Jetpack add-ons.
  • Adjustment of the Quickdial "new tab" feature to have better layout.
  • Extension of the address bar shading functionality to more clearly indicate when there is a problem with a secure site (red shading on broken SSL/mixed content).
  • New way of handling plugins with control on a per-site basis. An extensive description can be found on the forum.
  • Restored/maintained a number of features that were removed from recent Firefox versions:
  • Graphical tab switching feature with quick search (Ctrl+Shift+Tab).
  • Removing the tab bar if there is only one tab present.
  • Options for the loading of images.
  • More recovery options in the Safe Mode startup dialog box than just nuking your profile.
  • Send Link/E-mail Link mail client integration functionality.
  • Unification of version numbers. x86 and x64 will from this point forward use the same version number (and icon) without an architecture designation. This will solve potential compatibility issues on new major versions, as well as the superfluous compatibility check when switching between x86 and x64 on the same profile.



Veranderingen voor v20.2.1 - v20.3

  • Changes:
  • A change to how tab histories are cached to improve the overall memory footprint and make browsing smoother, especially when using a large number of tabs with extensive active use.
  • A change to the networking pipelining back-end to use a more aggressive fallback if there are issues with pipelining requests, to minimize delays when loading pages and prevent time-outs.
  • Update of the compiler to Visual Studio 2012 Update 3, to fix a few compiler issues.
  • Removed the double entry for smooth scrolling selection in preferences (leaving just the one in the scrolling tab)
  • Fixes:
  • (CVE-2013-1704) ASAN heap-use-after-free in nsINode::GetParentNode
  • (CVE-2013-1708) Non-null crash at nsCString::CharAt
  • (CVE-2013-1712) Code injection through internal updater
  • (CVE-2013-1713) InstallTrigger can use the wrong principal when validating URI loads
  • (CVE-2013-1714) Cross Domain Policy override using webworkers
  • Fix for Updater crash
  • Fix for XSS vulnerability/URI spoofing
  • Fix for newly allocated WebGL array buffers (prevent the use of uninitialized memory)
  • Several fixes for the SSL crypto library (CVE-2013-1705 and others)
  • Fix for do_QueryFrame support
  • x64: Fix for Yarr error
  • Update to the installer's 7zsfx module to prevent dll hijacking



Veranderingen voor v20.2 - v20.2.1

  • A small update to address issues with the new Aero glass theme, e.g. Tab Groups not showing.



Veranderingen voor v20.1 - v20.2

  • This is a maintenance update, focusing on visual improvements and security.
  • Changes:
  • Implementation of some conservative additional multi-core support (mainly in graphics/media) using OpenMP. I'm taking baby steps here and will remain conservative in the use of multiple cores so stability of the browser isn't needlessly endangered.
  • Update of the navigation button icons (again). Users have clearly indicated that the inverted color icons on glass and dark themes were less desirable. I've listened, and changed the icons for glass back to the pre-20 style but with added contrast, and made a distinction for dark personas (themes) where the icons are now simply inverted white (like in Firefox).
  • Change for the color management system (CMS) so that Pale Moon now supports more types of embedded ICC profiles (including the already decade-old version 4 spec) and in the process fixing potential color issues on screens with images that embed such profiles.
  • Update of the browser padlock code. You can now choose both a "modern" look (as introduced in version 19) and a "classic" look (as introduced in version 15, when this padlock feature was first added). It also removes some phantom spacing in locations where the padlock isn't used (thanks for the pointer, Sowmoots!).
  • Fixes:
  • (CVE-2013-1692) Fix for the inclusion of body data in an XMLHttpRequest HEAD request, making cross-site request forgery (CSRF) attacks via a crafted web site more difficult.
  • (CVE-2013-1697) Fix to restrict use of DefaultValue for method calls, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges.
  • (CVE-2013-1694) Fix to properly handle the lack of a wrapper, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code.
  • Fix to prevent arbitrary code execution from the profiler developer tool.
  • Fix for a crash when rapidly reloading pages.
  • Fix for cross-document selections.
  • Fixes for several crashes in JavaScript.
  • Fixes for several memory safety hazards and uncommon memory leaks.



Veranderingen voor v20.0.1 - v20.1

  • Changes:
  • Update of the libpixman graphics library to improve performance for SSE2 CPUs.
  • Some improvements are implemented in the optimized code paths for SSE2 instructions in the libpixman library.
  • Change to the "Clear download history" setting for use with the panel-based download manager (classic UI unaffected).
  • This change makes the UI clearer for privacy settings, to synchronize the setting for history&download in the preferences dialog box when the new download panel is used (since the new panel uses a history list for downloaded files in the library rather than a separate list). For panel downloads, both settings are now linked. For the classic download, a separate choice can be made for history and downloads as before.
  • New changes in Firefox code not included by design in this version of Pale Moon:
  • Removal of E4X - Pale Moon will keep this available until the next major release.
  • Removal of Places History API for add-ons.
  • More add-ons will be able to continue functioning if they make use of these APIs.
  • Addition of scoped stylesheet implementation.
  • This advocates the use of in-line styling in webpages (using style= parameters on elements instead of using classes and IDs), which is something we have been trying to move away from for some years now! It promotes using messy page code. Let's all keep things clean, shall we?
  • Implementation of FHR (Firefox Health Report - advanced usage/app metrics collection and submission).
  • Although it would allow users to get a bit more details about what is going on in their browser, the implementation is only partial to begin with, and there's no reason to add a potential privacy issue to Pale Moon in terms of telemetry-under-a-different-name.
  • Fixes:
  • (CVE-2013-1674) Fix for UAF with video and onresize event (crash fix)
  • (CVE-2013-1675) Fix for parameters being used uninitialized
  • (CVE-2013-1676) Fix for out-of-bounds read in SelectionIterator::GetNextSegment
  • (CVE-2013-1679) Fix for heap use-after-free in mozilla::plugins::child::_geturlnotify
  • (CVE-2013-1680) Fix for heap-use-after-free in nsFrameList::FirstChild (crash fix)
  • (CVE-2013-1681) Fix for heap-use-after-free in nsContentUtils::RemoveScriptBlocker (crash fix)
  • Fix for out-of-bounds read crash in PropertyProvider::GetSpacingInternal (crash fix)
  • Fix for out-of-bounds read in gfxSkipCharsIterator::SetOffsets
  • Fix for assertion failure in nsUnicharStreamLoader::WriteSegmentFun with ISO-2022-JP
  • Fix for crash with inline script in an XML doc (crash fix)
  • Fix for "ASSERTION: Out of flow frame doesn't have the expected parent" and crash (crash fix)
  • Fix for nsScriptSecurityManager::CheckLoadURIWithPrincipal being broken
  • Fix for a problem where the IPC Channel could overwrite the stack
  • Fix for Crash in MediaDecoder::UpdatePlaybackOffset (crash fix)
  • Fix for Crash [@ nsTextFrame::HasTerminalNewline()] with splitText (crash fix)
  • Fix for FTP use-after-free crash (crash fix)



Veranderingen voor v19.0.2 - v20.0.1

  • Per-window Private Browsing. Learn more.
  • Panel-based download manager. See the detailed changelog for more information.
  • Ability to close hanging plugins, without the browser hanging.
  • Performance improvements related to common browser tasks.
  • Pale Moon specific Cairo performance fix for scaling/panning/zooming of HTML5 drawing surfaces.
  • Pale Moon specific fixes for performance of drawing elements (gradients, etc.).
  • HTML5 canvas now supports blend modes.
  • Various HTML5 audio and video improvements.
  • Update of the Status Bar code to work with the new code base.
  • ECMAScript for XML (E4X) is kept available for add-ons. Note that this will be removed in future versions as E4X is obsolete.
  • Developer tools have been enabled by default, considering the code is practically impactless unless actually used.
  • Theming has been worked on to provide better contrast on glass/dark themes and to work around styling issues present in v19.
  • Updated fallback character sets to Windows-1252.
  • Restored legacy function key handling (uplifted from Firefox 22).
  • Fixed UNC path handling (Chemspill Firefox 20.0.1).
  • Always enable the use of personas, also in Private Browsing mode.
  • Experimental: support for H.264 videos (disabled by default)



Veranderingen voor v19.0.1 - v19.0.2

  • Fixes a critical security vulnerability in the browser (MFSA 2013-29)
  • Slightly improves HTTP pipelining
  • Update to the integrated status bar feature (German localization updated)



Veranderingen voor v19.0 - v19.0.1

  • Fix for bookmarks giving an "XML parsing error" when set to "load in the sidebar"
  • Fix for a double padlock display if a secure site would not supply a favicon
  • Redone the mixed content https padlock image in 32bpp to prevent potential UI rendering issues
  • Fixed a setting so no unnecessary code walking is done for the otherwise disabled accessibility features
  • Fix (inherent) for add-ons and themes being marked as incompatible in Pale Moon x64 when they have a minimum version of 19.0



Veranderingen voor v15.4.1 - v19.0

  • Update of the underlying Firefox (gecko) code to v19. This has a number of consequences:
  • Add-ons and themes may need to be updated since the UI code has changed.
  • HTML5-implementation is more complete
  • A number of CSS statements have their prefix removed (-moz*)
  • Javascript now uses the IonMonkey engine by default, which is a new (faster) engine
  • Improvements to the layout and rendering engines
  • If you are using a language pack, you need to update it to the new version
  • Update of the browser style. Main browser controls and the padlock look slightly different.
  • Several Pale Moon specific improvements to the rendering engine, noticeable in general use and certain benchmarks, to prevent browser stalls or high CPU usage on certain pages.
  • The builds no longer use PGO (Profile Guided Optimization) but are globally speed-optimized.



Veranderingen voor v15.4 - v15.4.1

  • Updated the C runtime library included to a later version for security/stability purposes.
  • Updated the Windows SDK version to 8.0 for better Windows 8 compatibility and slight overall improvements.
  • Implemented a fix to prevent unwanted automatic opening of the plugin check window on startup on some systems.
  • Corrected the milestone marker from 15.4pre to 15.4.



Veranderingen voor v15.3.2 - v15.4

  • Several security and stability issues have been fixed in this update:
  • Deal with bogus Turktrust certs MFSA 2013-20
  • Several memory security hazards fixed MFSA 2013-01
  • Updated OTS library to r95 to fix potential font-related exploits
  • Security fix for libpixman stack buffer overflow
  • Fix for certain types of input lag on Twitter/Facebook & other sites with unnecessary DOM invalidations
  • Fix for HTTP pipelining re-use (improve pipelining logic)
  • Performance&stability updates to cairo and direct2d back-end
  • Improved performance for repeat gradients



Veranderingen voor v15.3.1 - v15.3.2

  • This update fixes an important issue in the JavaScript engine (MethodJIT) that would make particularly large/complex pieces of JavaScript (e.g. Mandreel) fail.



Veranderingen voor v15.3 - v15.3.1

  • Bugfixes:
  • Fix for font rendering issues on Windows 8 (cairo+azure)
  • Status bar options: Russian locale fixed
  • Fix for status bar address bar linkover ghosting
  • Fix for browser hang in some WebM video content
  • Don't allow alert/confirm/prompt in onbeforeunload, onunload and onpagehide (bug# 391834)
  • Improvements:
  • Reduce non-incremental GC occurrences (reduce lag in Javascript)
  • More efficient CPU usage for JS and Canvas
  • Pale Moon x64: Performance improvements
  • Security fixes:
  • Security fixes for CVE-2012-5840, CVE-2012-5839, CVE-2012-4210, CVE-2012-4207 and CVE-2012-4214.
  • Fix for methodjit assertion issue (bug #781859)
  • Fix for potentially exploitable crash in XPConnect (bug #809674)
  • Fix for potentially exploitable crash in layout engine (bug #791601)
  • Fix for potentially exploitable crash in JS string handling (bug #778603)
  • Fix for potentially exploitable crash in GIF decoder (bug #789046)
  • Fix for potentially exploitable crash in image decoder (bug #802168)
  • Fix for use-after-free in editor lib (bug #795708)
  • Fix for potentially exploitable crash in SVG (bug #793848)
  • Fix for out-of-bounds read when blurring (bug #783041)
  • Fix for potentially exploitable crash in text editor (bug #798677)
  • Prevent URL spoofing through prompts (bug #700080)



Veranderingen voor v15.0 - v15.2

  • 15.2
  • This is an update to address a number of performance, stability and security issues, as well as some added features.
  • Fixes:
  • Important performance regression fix. Both javascript and the layout engine should now have the speed and stability that is to be expected from an optimized browser.
  • Fix for the "tabs on top" menu entry not showing when tabs are already set on top, making it very difficult to switch them back to bottom.
  • Crash: Fix for a browser crash with certain types of invalid gradients. (bug #792903)
  • Security: Prevent private browsing data leakage through popup windows (bug #795015)
  • Security: Detect IC purging (bug #794025)
  • Security: Prevent mRules from dying in DoInsertHTMLWithContext (bug #788950)
  • Security: Drain the parent frame's overflow list before insert/append (bug #765621)
  • Features:
  • Redesigned the identity panel and the way secure sites are handled in the UI
  • You will now always get the favicon in the address bar, and on secure sites you will have an added padlock (indicating ssl, extended verification or a broken/insecure/mixed-content site) to the identity panel and colored shading around the URL to indicate the status. (see detailed changelog)
  • After evaluating the new address bar autocomplete algorithm, it is now switched on by default.
  • Added an option to easily switch address autocompletion on or off (see detailed changelog)
  • Partial implementation of Japanese "status bar" preferences text
  • More details can be found in the detailed changelog on the Pale Moon forum.
  • 15.1.1
  • This is a minor update to address some important performance (high CPU usage) and stability (browser hang) issues in Pale Moon 15.1. Specifically, some of Tete009's patches were backed out.
  • Azure acceleration with his patches is still in place, but the multi-threaded box blur and cairo patches were removed to fix the CPU and browser hang issues, respectively.
  • 15.1
  • This is a major update to the new v15.0 release, to address a fairly large number of issues with the initial version.
  • Important note:
  • From this release onwards, the system requirements for your operating system have changed: If you are still running Windows XP, you are required to have Service Pack 3 installed on it, or the browser will not start.
  • Bugfixes:
  • Restore Windows XP Professional x64 compatibility in the installer.
  • Fix the mouse wheel smooth scrolling preferences in the preferences dialog box (did not work in v15.0)
  • Prevent memory inflation on some integrated graphics drivers in canvas games
  • Fix for private browsing mode (Firefox 15.0.1 top fix)
  • Fix for Javascript stability issues on 32-bit versions
  • Regression fixes:
  • Restore the favicon in the URL bar. (Behavior change: new logic)
  • Fix for top level images with transparency (white background)
  • Remove noise from top level image background
  • Undo the redesign of the Safe Mode dialog box
  • Restore Alt-Click save dialog box
  • Restore proper identity panel for domain-verified sites (blue panel)
  • Restore support for the browser.identity.ssl_domain_display setting
  • Restore address bar autofill preference to its desired default state (no autofill)
  • Added features:
  • Add control for a custom top level image background color
  • Implement Direct2D brush caching (performance win)
  • Implement multi-threaded box blur (performance win for multi-core systems)
  • Add a Profile Reset feature (from Help -> Troubleshooting information)
  • Build with a faster floating point method
  • To keep these release notes concise, this is just a plain list of changes. You are encouraged to read the extended changelog post on the Pale Moon forum if you have any questions or want clarification about any of the items mentioned.



Veranderingen voor v12.2 - v15.0

  • This is a new release based on the Gecko 15.0 code base with additional branch development. It incorporates many changes under the hood that go far beyond the scope of this document.
  • A few highlights, in addition to security fixes:
  • Performance improvements for the rendering engine
  • More HTML 5 implemented
  • Better handling of memory, resulting in smoother operation of the browser
  • More responsive user interface when the browser is busy
  • Prevention of memory leaks through add-ons
  • Better implementation of the Quickdial page
  • Localization of Pale Moon specific preferences and options (work in progress)
  • Reinstatement of the previous user interface, keeping it in line with version 12 (Firefox 15 has UI changes that makes the controls flat, monochrome and borderless, which isn't desired for Pale Moon)
  • The padlock has returned for secure pages! It can be found in front of the URL when you browse to a secure page, with optionally company information if supplied by the server
  • Some things new to the Firefox code base that are excluded or disabled by default:
  • Built-in PDF reader in javascript - use a standalone, dedicated reader
  • (this is both a security and functionality consideration)
  • Additional advanced web development tools - the average user never needs these
  • Web apps on the desktop - Pale Moon is a browser, not a pseudo-OS
  • Windows Metro UI



<<Terug naar software beschrijving