| Version | Change log |
| Pale Moon 33.5.0 Dec 5, 2024 |
Changes/fixes: Implemented Regular Expression "match indices" (/d) feature. Added a way to programmatically clear the DNS cache in the browser, and added a button to the UI for it in about:networking. Updated handling of referrer policies to adhere to the updated spec. CSS font variations keywords no longer throw an error. See implementation notes. CSS border-radius will now also apply to element outlines. Improved the display of amount of cached web content in preferences when cache is being cleared. Improved the installer AVX check to skip on early versions of Windows 10 (which don't support it). Updated NSS to 3.90.5 (unofficial) to pick up some security fixes. Refreshed the built-in list of effective top-level domains. Fixed several application crashes. Reduced unnecessary debug/informative messages in release builds (WebGL and CSP). Backed out building against ffmpeg 6.0 and ffvpx 6.0 for causing a video playback regression on full-range videos (levels 0-255). Cleaned up a large amount of leftover Boot2Gecko code, simplifying code paths throughout the code base. From this version forward we also publish language packs for Persian (Farsi), Hindi, Kannada and Vietnamese. Security issues addressed: CVE-2024-11693 and CVE-2024-11704 (DiD). Implementation notes: The CSS font variations keywords (woff2-variations, truetype-variations, etc.) allow webmasters to indicate format hints for @font-face font resources so authors can provide alternative resources for browsers that don't support tech(variations). The intent of these hints is to provide an alternate font with variations in addition to regular fonts without. Unfortunately, some webmasters don't indicate a base font the variation font face would be an alternate for, which resulted in Pale Moon throwing an error on the only @font-face src entry provided, in turn having the web font not being loaded at all (because no valid entry was found), breaking website layout. From this version onwards, we parse th |
| Pale Moon 33.4.1 Nov 5, 2024 |
Changes/fixes: Added a processor check to the 64-bit installer for Windows to check for AVX. Note: this check does not work on Window 7/8/8.1 and will allow installations on non-AVX processors there. Note: if you are running Windows 10 before build 2004 (before 20H1), this check may fail on AVX-capable CPUs and prevent installation. Improved handling of multipart/mixed documents. (CVE-2024-10461 and CVE-2016-2816) DiD Addressed CVE-2024-10463. |
| Pale Moon 33.4.0 Oct 8, 2024 |
Changes/fixes: Introduced the "ghostbuster" concept; this is an automated internal mechanism to attempt cleanup of particularly problematic web content after a tab or window is closed. See implementation notes. Added support for the PROT_MPROTECT security feature on targets that use it (notably PaX and NetBSD). Implemented preferences to give the user control over the Same-Origin Policy (SOP) and CORS preflight. See implementation notes. Improved buildability on NetBSD and Altivec architectures. Fixed building issues on Apple Silicon Mac with XCode 16. Added workarounds for non-standard MSE/WebM/VPx encoding on YouTube that could cause video buffering and halting issues. Dev: Changed the default credentials mode for module scripts from 'omit' to 'same-origin', aligning with mainstream. Dev: Implemented getTransform and setTransform with DOMMatrix arguments. Dev: Implemented ES2023 Hashbang grammar proposal. Fixed an issue with JavaScript's StructuredClone. Security issues addressed: CVE-2024-9396. Rejected: CVE-2024-9398 (properly informing the user about attempts to use unhandled protocols by web pages is considered more important than potential determination whether a handler for such a protocol is installed) |
| Pale Moon 33.3.0 Aug 13, 2024 |
Changes/fixes: Implemented the bulk of the CSS "cascade layers" spec (@layer{}). This implementation is not 100% complete yet, but should satisfy common use of CSS cascade layers on the web. Implemented support for Sec-Fetch-* headers, implementing another mechanism to deal with site security. See this part of the spec for a primer on what this does. Added support for FFmpeg 7.0 / libavcodec 61 (Linux). Pale Moon will now look up hosts in DNS ahead of time to make page navigation smoother. See implementation notes. Pale Moon will now block access to the reserved address 0.0.0.0 on non-Windows operating systems. See implementation notes. Dev: Aligned rounding behavior and precision ranges of toFixed and related functions with the spec. See implementation notes. Dev: Aligned isTrusted for PostMessage and BroadcastChannel with expected values on the web. See implementation notes. Dev: Added the navigator.webdriver attribute for web compatibility (always false in Pale Moon as we do not support browser automation APIs). Re-implemented the Durstenfeld shuffle for plugin enumeration that was unfortunately dropped with one of our past rebases, to strengthen fingerprinting resistance. Fixed an issue with character clusters (e.g. for text selection) resulting from a regression surrounding our improvements for emoji handling. Fixed an issue with setting DOM color values. DiD Slightly improved password form handling, detecting previously unsupported field orders. Updated NSS to 3.90.4. Updated our emoji font to 15.1.2 (Unicode 15.1 with some additional extras/updates). Code cleanup: Removed unused code related to the (incomplete) FoxEye experiment. Removed support code for LibAV and (very) old versions of FFmpeg. We require libavcodec 58 or later (FFmpeg 4.0+) from this version forward (Linux). Removed click event dispatching code that is no longer relevant. Cleaned up internal macro use in CSS code (this does not impact any exposed APIs or code). Removed the hidden n |
| Pale Moon 33.1.0 Apr 23, 2024 | |
| Pale Moon 33.0.1 Feb 27, 2024 | |
| Pale Moon 33.0.0 Jan 30, 2024 | |
| Pale Moon 32.5.1 Nov 28, 2023 |
Restricted protocol fallback for TLS. Pale Moon no longer (by default) allows TLS 1.3 to fall back to earlier protocol versions during the initial handshake. Reverted the addition of browser.bookmarks.openInTabClosesMenu due to behavioral issues with menus. If you desire the intended behavior, please use an extension instead. We no longer support the data: protocol inside SVG's <use> statements. Enabled more validation/error checking for WebGL on Windows to prevent potential crashes. Improved secure context checking for iframes. Fixed the handling of relative paths in URLs starting with multiple forward slashes. Security issues addressed: CVE-2023-6204, CVE-2023-6210, CVE-2023-6209 and CVE-2023-6205 DiD UXP Mozilla security patch summary: 3 fixed, 1 DiD, 14 not applicable. |
| Pale Moon 32.5.0 Oct 31, 2023 |
Added an initial implementation of the ReadableStreams API, improving web compatibility with sites that apparently use this API in utilitarian fashion. Added support for transparency in WebM videos for the edge case of using <video> elements for transparent animated images. Major caveat: this will massively impact performance of video playback if an alpha channel is present in the video. Added support for crypto.randomUUID to allow website scripting to generate random UUIDs (universally unique identifiers) through the WebCrypto interface. By user request, added a preference browser.bookmarks.openInTabClosesMenu (default true) to allow users to configure if they want to keep the bookmarks menu open if they open bookmarks from it in a new tab (by middle-clicking or Ctrl-clicking). The default behavior is to close the bookmarks menu like any other menu when an option in it is clicked. |
| Pale Moon 32.4.1 Oct 3, 2023 |
Fixed an issue in BigInt typedArray costructors. Added some safety checks for Performance Observers. Fixed JSON BigInt regressions. Fixed missing BigInt increment/decrement operations. Added WASM sign extension opcodes. Fixed an issue with dead Promise wrappers in JavaScript Fixed an issue with Alternative Services Fixed an issue with libvpx (address CVE-2023-5217) |
