v33.7.2 (2025-06-03)$$$This is a security release.$$$$$$Changes/fixes:$$$Addressed PWN2OWN-2025-1 (out of bounds read or write in promise) DiD$$$Addressed PWN2OWN-2025-2 (out of bounds read or write when using the ExtractLinearSum optimization) DiD$$$Fixed potential unexpected behavior in embedded protobuf code. DiD$$$Fixed an issue with potentially uninitialized contrast values when enhanced device contrast values can not be read from the O.S. DiD$$$Fixed potential sanitization issues with devtools Copy as curl feature.$$$It should be noted that we do not currently offer cross-platform curl features; so this is another DiD for this release.

v33.7.1 (2025-05-06)$$$This is bugfix and security release.$$$$$$Changes/fixes:$$$Fixed a crash dealing with BigInt in Javascript compilation.$$$Updated NSS to 3.90.7 to pick up a security fix.$$$Updated devtools to escape some more characters in Copy as cURL on POSIX operating systems. DiD

v33.7.0 (2025-04-08)$$$This is a development; bugfix and security release.$$$Changes/fixes:$$$Implemented CSS two-location color stop logic. This allows for two-location color stops (`color x% y%`) in gradients; which is shorthand for `color x%; color y%` where both colors are equal.$$$Our minimum GCC version requirement to build is now 9.1.$$$Improved channel handling when CSP blocks network redirects.$$$Implemented several fixes for CORS preflight requests.$$$Added explicit whitelisting from CSP content loading of javascript: scheme URLs.$$$Updated the ffvpx library to 6.0.1; this time preventing video color range regressions. An update to 6.0 was previously backed out in 33.5.0.$$$Updated the JPEG-XL library to 0.11.1 to pick up several fixes and improve decoding compatibility of jxl files.$$$Updated the SQLite library to 3.49.1.$$$Fixed a spec compliance issue with DOMRect and DOMQuad returning 0 if NaN was present. We now return NaN in that case; per spec.$$$Fixed a spec compliance issue with NTLM authentication. We now compute Channel Binding Hashes using the certificate signatures hash algorithm; per spec.$$$Note that particularly weak algorithms are not used and SHA256 will be used as a minimum; instead; in those cases.$$$Fixed a buildability issue on Mac with XCode 16.3.$$$Added some additional safety checking to SharedArrayBuffers.$$$Added some additional safety checking to XSLT compilation and transformation.$$$Windows only: Added a preference widget.windows.follow_shortcuts_on_file_open to control how Windows File Open dialogs handle shortcut links. See implementation notes.$$$Security bugs addressed: CVE-2025-3028 (DiD) and CVE-2025-3033 (see implementation notes).$$$Implementation notes:$$$Windows only: This version introduces a new (numeric) preference to control how the Open File dialogs handle shortcut links in the file system.$$$A low-severity security issue (CVE-2025-3033) was found that in some specific circumstances could allow a malicious actor to convince a user to upload an unintended file from their file system with a specially-crafted shortcut file. To mitigate this; a special flag can be passed to File Open dialogs which prevent the dialogs from parsing shortcut links and navigating to target files and folders based on the shortcut file contents. This can be controlled with the newly-added preference. Since this flag; when set; also prevents users from navigating through shortcuts to folders (from e.g. the desktop) and would instead open/attach/upload the shortcut file itself; this would be disruptive to many users workflows. Considering the major usability drawback and the low-severity nature of the security issue (which would require considerable social engineering to pull off); Pale Moon; at least for the time being or until a better solution is found; will continue allowing the following of shortcuts and navigating through them to target folders and files in File Open dialogs. If you are overly cautious; you may want to set this preference to the value 0 which always prevents shortcut parsing and following. For everyone else; just a warning to please stay safe and never follow strange sequences of instructions from strangers that you dont exactly know what they do (and never take their explanations at face value).

v33.6.1 (2025-03-11)$$$This is a security; bugfix and stability update.$$$$$$Changes/fixes:$$$Simplified some WASM code generation in the Ion JIT compiler.$$$Fixed a crash in loading external resource maps.$$$Disabled potentially unsafe attempts at recovering JIT operations.$$$Fixed some minor linking issues in about:rights.$$$Updated the embedded emoji font to fix incorrect display of some of the wheelchair emoji.$$$Security issues addressed: CVE-2025-1934 (DiD).

v33.6.0.1 (2025-02-20)$$$This is an extra update to mitigate as much of the CloudFlare issues leading to browser hangs and memory issues as possible on the web browser side. Unfortunately CloudFlare still hasnt pulled their scripts that seem to deliberately cause these issues on Pale Moon and other independent browsers they seem to want to keep from the websites they protect. If you are interested in learning more; check out the forum thread where were discussing this issue. Once again; please consider reporting any and all occurrences of failing or looping CloudFlare checks on websites to CloudFlare as well as the owners of affected websites (you may have to temporarily use a Chromium-based browser to do this).$$$$$$Changes/fixes:$$$Disabled CSP reporting temporarily to work around memory issues caused by CloudFlares scripting. While CSP reporting is important to inform webmasters of issues with their content security policies; not having the browser eat up all memory is more critical. We do intend to re-enable this when the issue is resolved on CloudFlares side.$$$Improved CSS grid performance to avoid exponential calculations and reflows caused by CloudFlares scripting. This wasnt a bug; per se; but could easily lock up with bad scripting if called recursively.$$$Added a few other small fixes that are tangentially related to the code changes made.

v33.6.0 (2025-02-07)$$$This is a development; bugfix and security release.$$$Due to the fact that CloudFlare has been causing application crashes that impacts many users; this release has been pulled forward a few days to address these crashes with priority (should be fixed in this release).$$$Please note that at the time of publication of this browser version and release notes; even though crashes have been fixed; CloudFlare is denying UXP-based browsers as well as several other independent/smaller browsers access to many websites by way of their malfunctioning security check or captcha; with no priority given to actually fix it despite it being denial of service for users of affected browsers. Please consider reporting any and all occurrences of failing or looping CloudFlare checks on websites to CloudFlare as well as the owners of affected websites (you may have to temporarily use a Chromium-based browser to do this).$$$Changes/fixes:$$$Implemented a content sniffer for ADTS and raw AAC audio.$$$Implemented AbortSignal.abort() and stub AbortSignal.timeout().$$$Unprefixed the :modal CSS pseudo-class and exposed it to content.$$$Improved efficiency and performance of the Cycle Collector.$$$Added a check for explicit expectance of a percentage value in CSS HSL for the S and L components.$$$Updated the cookie storage database to no longer use BaseDomain. See implementation notes.$$$Updated CSS grid handling to no longer apply auto min-sizing when flex max-sizing (browser parity).$$$Updated the root certificates in the internal trust store.$$$Updated the Public Suffix List (eTLD) in the browser.$$$Removed no longer specced URL Constructor(DOMString url; URL base).$$$Restored unofficial branding to what it was before (New Moon instead of Browser).$$$Changed the default Firefox Compatibility user-agent version to 115.0.$$$Fixed an issue where cloned <audio> or <video> elements would not respect the original elements muted state.$$$Fixed a number of bugs and spec compliance issues in WebCrypto.$$$Fixed installer application naming issue causing failure to detect running application.$$$Fixed a crash when Interval handlers are present in scripts that are automatically terminated due to excessive runtime.$$$Fixed a crash in JS Structured Cloning when the input would be bogus (CloudFlare-triggered crash).$$$Fixed a crash in the XSLT stylesheet importing code.$$$Updated NSS to 3.90.6 (custom) to pick up several security fixes.$$$Security issues addressed: CVE-2025-1009.

v33.5.1 (2025-01-15)$$$This is a small bugfix and security release.$$$Changes/fixes:$$$Changed the way cookies are handled internally to fix an issue with cookie database corruption as a result of updates to domain suffixes.$$$Fixed an issue with Alternative-Services protocol negotiation.$$$Fixed a potential crash scenario with Structured Clone operations. DiD$$$Fixed a potential issue with line breaking if out of memory.$$$Fixed a rare crash with opportunistic encryption.$$$Minor code cleanup.$$$Security issues addressed: CVE-2025-0239 and CVE-2025-0238.

v33.5.0 (2024-12-05)$$$This is a development; bugfix and security release.$$$Note: Intel Mac builds are now ad hoc signed instead of unsigned; which should solve potential issues with newer macOS while still being compatible with old OS X. If you experience issues; please post in the Mac board on the forum for support.$$$$$$Changes/fixes:$$$Implemented Regular Expression match indices (/d) feature.$$$Added a way to programmatically clear the DNS cache in the browser; and added a button to the UI for it in about:networking.$$$Updated handling of referrer policies to adhere to the updated spec.$$$CSS font variations keywords no longer throw an error. See implementation notes.$$$CSS border-radius will now also apply to element outlines.$$$Improved the display of amount of cached web content in preferences when cache is being cleared.$$$Improved the installer AVX check to skip on early versions of Windows 10 (which dont support it).$$$Updated NSS to 3.90.5 (unofficial) to pick up some security fixes.$$$Refreshed the built-in list of effective top-level domains.$$$Fixed several application crashes.$$$Reduced unnecessary debug/informative messages in release builds (WebGL and CSP).$$$Backed out building against ffmpeg 6.0 and ffvpx 6.0 for causing a video playback regression on full-range videos (levels 0-255).$$$Cleaned up a large amount of leftover Boot2Gecko code; simplifying code paths throughout the code base.$$$From this version forward we also publish language packs for Persian (Farsi); Hindi; Kannada and Vietnamese.$$$Security issues addressed: CVE-2024-11693 and CVE-2024-11704 (DiD).$$$Implementation notes:$$$The CSS font variations keywords (woff2-variations; truetype-variations; etc.) allow webmasters to indicate format hints for @font-face font resources so authors can provide alternative resources for browsers that dont support tech(variations). The intent of these hints is to provide an alternate font with variations in addition to regular fonts without. Unfortunately; some webmasters dont indicate a base font the variation font face would be an alternate for; which resulted in Pale Moon throwing an error on the only @font-face src entry provided; in turn having the web font not being loaded at all (because no valid entry was found); breaking website layout. From this version onwards; we parse the -variations keywords allowing variation alternative font-faces to be loaded; even if no base font was specified. To webmasters only supplying @font-face entries with variations keywords: please understand the intent of this CSS 4 spec and always provide a base font entry (graceful fallback).$$$

v33.4.1 (2024-11-05)$$$This is a small bugfix and security release.$$$$$$Changes/fixes:$$$Added a processor check to the 64-bit installer for Windows to check for AVX.$$$Note: this check does not work on Window 7/8/8.1 and will allow installations on non-AVX processors there.$$$Note: if you are running Windows 10 before build 2004 (before 20H1); this check may fail on AVX-capable CPUs and prevent installation.$$$Improved handling of multipart/mixed documents. (CVE-2024-10461 and CVE-2016-2816) DiD$$$Addressed CVE-2024-10463.$$$$$$General notes:$$$DiD This means that a fix is Defense-in-Depth: It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon; but prevents future vulnerabilities caused by the same code; e.g. when surrounding code changes; exposing the problem; or when new attack vectors are discovered.$$$Rejected security patches: This means that patches were theoretically applicable to our code but considered undesirable; which could be due to unwanted changes in behavior; known regressions caused by the patches; or unnecessary risks for stability; security or privacy

v33.4.0.1 (2024-10-09)$$$This is a small update to address two important issues:$$$Extension compatibility issues with the ghostbuster (leading to tab handling problems).$$$Windows 7 compatibility issues in 32-bit builds on some systems (leading to application UI paint failures/black window).

v33.3.1 (2024-09-10)$$$This is a minor security and bugfix update.$$$$$$Changes/fixes:$$$Backed out support for FFmpeg 7.0/libavcodec 61 (Linux) due to it causing a major regression in WebAudio (broken on all platforms). This is being worked on to re-land at a later date.$$$Restricted the NotifyPaintEvent interface to chrome code only; there is no reason (other than potential tracking/fingerprinting) to have this accessible from content.$$$Fixed a potentially exploitable issue in JavaScript (FetchName).$$$Fixed a code correctness issue in XPConnect when creating sandboxes. DiD$$$Added a warning for using externally handled usenet protocols.$$$Security issues addressed: CVE-2024-8383 and CVE-2024-8381.

v33.3.0 (2024-08-13)$$$This is a major development update.$$$$$$Important notes with this version:$$$From this version forward; all 64-bit releases require a processor with AVX capabilities! Please keep en eye on the forum for announcements of 64-bit SSE builds by the community if you are on particularly old or otherwise limited hardware that does not support AVX.$$$For Linux users: Starting with this version; our binaries are built with gcc 11 on a still conservative but more modern build platform (Oracle Linux 8). As a result; there may be some lib incompatibilities if you are still running on a particularly old distro for some reason. While we try to serve as broad of a Linux base as possible with our binaries; our lowest common denominator will occasionally shift to newer distros as a result of O.S. life cycles; compiler capabilities and available libraries.$$$Changes/fixes:$$$Implemented the bulk of the CSS cascade layers spec (@layer{}). This implementation is not 100% complete yet; but should satisfy common use of CSS cascade layers on the web.$$$Implemented support for Sec-Fetch-* headers; implementing another mechanism to deal with site security. See this part of the spec for a primer on what this does.$$$Added support for FFmpeg 7.0 / libavcodec 61 (Linux).$$$Pale Moon will now look up hosts in DNS ahead of time to make page navigation smoother. See implementation notes.$$$Pale Moon will now block access to the reserved address 0.0.0.0 on non-Windows operating systems. See implementation notes.$$$Dev: Aligned rounding behavior and precision ranges of toFixed and related functions with the spec. See implementation notes.$$$Dev: Aligned isTrusted for PostMessage and BroadcastChannel with expected values on the web. See implementation notes.$$$Dev: Added the navigator.webdriver attribute for web compatibility (always false in Pale Moon as we do not support browser automation APIs).$$$Re-implemented the Durstenfeld shuffle for plugin enumeration that was unfortunately dropped with one of our past rebases; to strengthen fingerprinting resistance.$$$Fixed an issue with character clusters (e.g. for text selection) resulting from a regression surrounding our improvements for emoji handling.$$$Fixed an issue with setting DOM color values. DiD$$$Slightly improved password form handling; detecting previously unsupported field orders.$$$Updated NSS to 3.90.4.$$$Updated our emoji font to 15.1.2 (Unicode 15.1 with some additional extras/updates).$$$Code cleanup:$$$Removed unused code related to the (incomplete) FoxEye experiment.$$$Removed support code for LibAV and (very) old versions of FFmpeg. We require libavcodec 58 or later (FFmpeg 4.0+) from this version forward (Linux).$$$Removed click event dispatching code that is no longer relevant.$$$Cleaned up internal macro use in CSS code (this does not impact any exposed APIs or code).$$$Removed the hidden network.dns.disablePrefetchFromHTTPS pref. DNS prefetching should not be treated differently for http and https.$$$Security issues addressed: CVE-2024-7531.

v33.2.1 (2024-07-15)$$$This is a bugfix and security update.$$$$$$Changes/fixes:$$$Fixed a crash in CSS grid layout.$$$Set hidden HTML elements to actually always be hidden.$$$Updated NSS to 3.90.3.$$$Updated SQLite to 3.46.0.$$$Fixed an issue with setting of cookies.$$$Fixed an issue in Linux IPC code.$$$Fixed an issue with DNS prefetching (disabled by default).$$$Security issues addressed: CVE-2024-6611; CVE-2024-6612 DiD and several others (mostly DiD) that do not have a CVE number assigned.

v33.2.0 (2024-06-18)$$$This is a development; stability and security release.$$$$$$Note: Mac builds have switched to Xcode 15 and are now cross-compiled from Apple silicon for Intel targets. While the resulting builds have been tested on a few Intel Mac systems; this is a big build change; so please get in touch through our forum if you experience any issues with these builds on Mac.$$$$$$New features:$$$Implemented the missing parts of the html5 <dialog> element; including modal handling and custom backdrops.$$$Implemented courser; user-configurable granularity for the canvas poisoning anti-fingerprinting measure. See implementation notes.$$$Implemented new CSS viewport units svw; svh; svmin; svmax; lvw; lvh; lvmin; lvmax; dvw; dvh; dvmin and dvmax.$$$Implemented new CSS logical viewport units vb; vi; svb; svi; lvb; lvi; dvb and dvi.$$$$$$Changes/fixes:$$$Removed the archaic and wholly outdated FIPS security module code.$$$Removed the archaic DBM support code for storing of passwords in DBM format files.$$$Removed the -moz prefix from -moz-fit-content; aligning with the current CSS standard fit-content value.$$$Updated our build system by adopting parts of the old autoconf 2.13 as maintained code. autoconf 2.13 is no longer a build requirement. If you build from source; you may want to review your dependencies with this change.$$$Fixed issues when building with GCC 14.* and Clang 16.*.$$$Fixed issues with emoji sequence clusters causing incorrect rendering of emoji glyphs in some cases.$$$Made some arguments to the legacy XPathEvaluator/XPathExpression interfaces optional for web compatibility.$$$Fixed a crash when reporting JavaScript module exporting errors.$$$Updated checking of special cookie prefixes to be case-insensitive in accordance with the current RFC 6265 (bis-11+).$$$Fixed issues with external protocol handlers.$$$Fixed an issue where autocomplete pop-ups would stay open in some circumstances.$$$Fixed an issue with potentially bad file names being entered by the user to Save As....$$$Fixed several crashes and race conditions.$$$Security issues addressed: CVE-2024-5699; CVE-2024-5702 DiD; CVE-2024-5690; CVE-2024-5698 DiD; CVE-2024-5688 DiD; CVE-2024-5692 and several other security issues (some more DiD) that do not have CVE numbers assigned to them.

v33.1.1 (2024-05-28)$$$This is a minor security and stability update.$$$$$$Changes/fixes:$$$Made the nonce length for http digest auth configurable.$$$Fixed various potential issues with font loading; parsing and handling.$$$Cleaned up error reporting for workers and normalized error messages.$$$Security issues addressed: CVE-2024-4772 DiD; CVE-2024-4771; CVE-2024-4769 and CVE-2024-4770.$$$Weve switched back to an older toolchain (17.3) for compiling 32-bit Windows binaries (again) to hopefully address some of the intermittent stability issues people continued to have on later Microsoft compiler versions when running on older hardware.

v33.1.0 (2024-04-23)$$$This is a development; stability and security release.$$$$$$New features:$$$$$$Implemented support for single-use <link rel=preload> meta tag. This implementation allows use of it without specifying a second <link rel={type}> meta tag to actually load the linked document which was originally intended for this tag (to hint to a browser it should pre-load the document for fast painting).$$$Implemented CSP v3 keywords script-src-elem; script-src-attr; style-src-elem and style-src-attr.$$$Enabled the use of html5s <dialog> by default. While this is not yet a complete implementation; use of it in the wild dictated we enable this early. The implementation should functionally suffice for usage seen so far.$$$Added support for Emoji 15.1.$$$Implemented webkitURL legacy window alias for URL for web compatibility.$$$Implemented CSS shorthands margin-block; margin-inline; padding-block and padding-inline.$$$Added support for querying CPU capabilities (SSE2/AVX/AVX2) to the Navigator interface. For privacy reasons this is not exposed to the web; but can be used by extensions.$$$$$$Changes/fixes:$$$$$$Fixed broken mousewheel scrolling if building with --disable-npapi.$$$Fixed a minor issue with XUL tree display in some circumstances.$$$Dev: Aligned canvas Path2D.addPath with the updated spec. It now supports DOMMatrix as opposed to SVGMatrix.$$$Removed Stylo (Gecko Rust style system) leftovers from the source tree.$$$Fixed a few potential emoji display issues.$$$Fixed some issues with workers.$$$Fixed an issue with ctrl+c copying in devtools.$$$Fixed crashes when run under WINE because of its lack of support for IDXGIKeyedMutex.$$$Fixed a crash when dealing with a specific (unmaintained) extension.$$$Added .xrm-ms files to the executable warning list on Windows.$$$Added sanity checks on http/2 header sizes.$$$Fixed a potential issue in the JavaScript JIT compiler.$$$Pulled a few fixes from upstream for the OpenType Sanitizer.$$$Added a fix to avoid a potential issue when assigning a media data buffer.$$$Security issues addressed: CVE-2024-3863; CVE-2024-3302; CVE-2024-3857 DiD; CVE-2024-3859 and CVE-2024-3861 DiD.$$$

v33.0.2 (2024-03-26)$$$This is a minor security and stability release.$$$$$$Changes/fixes:$$$Fixed an issue with attributes on duplicate html tags.$$$Aligned the behavior of internal pointer structures to be more uniform. DiD$$$Security issue addressed: CVE-2024-2610$$$

v33.0.0 (2024-01-30)$$$This is a new milestone release. It involves over 250 commits; of which the most important ones are highlighted here.$$$$$$New features:$$$Implemented a restricted version of the asynchronous clipboard API (navigator.clipboard). This API is restricted to writing only for obvious security considerations. It supports both plaintext and the standard DataTransfer methods. We did not implement the reinvented wheel concept of ClipboardItem objects.$$$Implemented support for SHA-2 (SHA-256/SHA-512/etc.) signatures for OCSP stapled responses.$$$Implemented an option (Found in Preferences -> Content -> Media tab (new this version)) to restrict DOM full-screen mode to the existing browser window.$$$Implemented several options in a new preferences tab (Preference -> Privacy -> Tracking) to allow users to more easily control several privacy-impacting features; namely poisoning of canvas data (to prevent fingerprinting); and enabling of Performance observers (a developer feature) that some websites rely on for their operation.$$$Implemented PromiseRejectionEvent. Although this is rarely actually used; some common JS libraries (you know who you are!) use it as a feature level canary and start loading (broken!) Promise shims if it is not found; causing compatibility issues and broken websites due to the shims.$$$Fixes:$$$Aligned microtasks and Promises scheduling with the current spec and expected behavior.$$$We now no longer send click events to top levels of the document hierarchy when using non-primary buttons (use auxclick; instead; to capture these events).$$$Greatly improved the performance of box shadows.$$$Greatly improved the performance of file/data uploads over HTTP/2 (most of the secure websites out there).$$$Fixed several issues related to focus and content selection.$$$Fixed issues with the use of focus-within caused by unexpected processing of DOM events.$$$Fixed an issue with CSP not behaving as-expected when using importScripts(); and fixed a number of additional CSP-related issues.$$$Fixed a web compatibility issue with CORS preflights not sending the original requests referrer policy or referrer header.$$$Fixed a spec compliance issue with StructuredClone.$$$Fixed a crash due to clamping code introduced for SetInterval and SetTimeout timers.$$$Fixed crashes when dynamic imports are canceled (e.g. by navigation).$$$Other changes:$$$Changed <input type=file> to now have its .files property be writable following a spec change and recommendation.$$$We are now requiring and building against the C++17 language standard.$$$Updated the in-tree ffvpx lib to 6.0.$$$Added a preference to allow users to completely disable reporting of CSP errors to webmasters. Using this is strongly discouraged as it will provide essential troubleshooting information to webmasters setting up CSP; and does not pose a privacy issue; but for those who really want it; it can now be fully disabled. The preference is security.csp.reporting.enabled.$$$Updated the IntersectionObserver interface to now also accept documents for the observer root instead of only HTML elements.$$$Cleaned up various bits of code surrounding GMP; memory allocation; system libraries; vestigial Android code; freetype2 and developer tools.$$$Improved efficiency of handling D3D textures.$$$Added initial and experimental Mac PowerPC and Big Endian support.$$$Changed the behavior of hung scripts. We now automatically terminate them instead of presenting the user with a dialog box (which may or may not show in a reasonable time if the browser is too busy trying to process the hung script). If you prefer the old behavior; uncheck the box Automatically stop non-responsive scripts in Preferences -> Content -> General$$$Security issues addressed: CVE-2024-0746; CVE-2024-0741; CVE-2024-0743 DiD; CVE-2024-0750 DiD; and CVE-2024-0753.$$$UXP Mozilla security patch summary: 3 fixed; 2 DiD; 12 not applicable.$$$

v32.5.2 (2023-12-22)$$$This is a bugfix and security update.$$$$$$Changes/fixes:$$$Removed the standard Twitter/X user-agent override because they decided to block us on it.$$$Added preferences for the user to control whether or not the tab page title should be included in the window title or not. In Private Browsing mode; the default is now to not show the title in the window. This was done to avoid potential leakage to system logs (e.g. GNOME shell logs or Windows event logs) of websites visited through the recorded window title. The new preferences are privacy.exposeContentTitleInWindow and privacy.exposeContentTitleInWindow.pbm for normal mode and Private Browsing mode; respectively.$$$Fixed several crashes in DOM and relating to dynamic JavaScript module imports.$$$Removed a restriction on Fetch preflight redirects; following a spec update.$$$Improved the handling of web workers if they get aborted mid-action.$$$Security issues addressed: CVE-2023-6863; CVE-2023-6858 and several others that do not have a CVE number.$$$UXP Mozilla security patch summary: 4 fixed; 2 DiD; 1 rejected (which was DiD at best); 1 postponed (low risk); 22 not applicable.

v32.5.1 (2023-11-28)$$$This is a minor development and security update.$$$Important: as of this version; our beta FreeBSD binaries require at least FreeBSD 13.$$$$$$Changes/fixes:$$$Restricted protocol fallback for TLS. Pale Moon no longer (by default) allows TLS 1.3 to fall back to earlier protocol versions during the initial handshake.$$$Reverted the addition of browser.bookmarks.openInTabClosesMenu due to behavioral issues with menus.$$$If you desire the intended behavior; please use an extension instead.$$$We no longer support the data: protocol inside SVGs <use> statements.$$$Enabled more validation/error checking for WebGL on Windows to prevent potential crashes.$$$Improved secure context checking for iframes.$$$Fixed the handling of relative paths in URLs starting with multiple forward slashes.$$$Security issues addressed: CVE-2023-6204; CVE-2023-6210; CVE-2023-6209 and CVE-2023-6205 DiD$$$UXP Mozilla security patch summary: 3 fixed; 1 DiD; 14 not applicable.$$$

v32.5.0 (2023-10-31) $$$This is a major development and security update.$$$$$$Changes/fixes:$$$Added an initial implementation of the ReadableStreams API; improving web compatibility with sites that apparently use this API in utilitarian fashion.$$$Added support for transparency in WebM videos for the edge case of using <video> elements for transparent animated images. Major caveat: this will massively impact performance of video playback if an alpha channel is present in the video.$$$Added support for crypto.randomUUID to allow website scripting to generate random UUIDs (universally unique identifiers) through the WebCrypto interface.$$$By user request; added a preference browser.bookmarks.openInTabClosesMenu (default true) to allow users to configure if they want to keep the bookmarks menu open if they open bookmarks from it in a new tab (by middle-clicking or Ctrl-clicking). The default behavior is to close the bookmarks menu like any other menu when an option in it is clicked.$$$Removed the user-agent override for Netflix; since they have stopped supporting the Silverlight browser plugin. Pale Moon no longer has a way to provide Netflix DRM-controlled playback with them dropping it; so there is no longer a reason to try and force compatibility.$$$Updated the user-agent override for Spotify. While it is possible to use the website with this; it suffers from the same DRM issue and not all media will be playable (only non-encumbered media can be played in Pale Moon like podcasts). Your mileage may vary.$$$Implemented timer nesting and clamping for workers; preventing timer hangs on bad website code.$$$Improved handling of drawing SVG images on canvases without explicit width or height attributes. We now follow the css-sizing-3 Intrinsic Sizes spec.$$$Improved performance of our memory allocator.$$$Updated libvpx to 1.6.1.$$$Cleaned up and updated some media playback code.$$$Removed the inclusion of GMP (Gecko Media Plugin) support from Pale Moon; as it was only in use for EME/DRM and WebRTC; neither of which we support.$$$Removed the last vestiges of EME/DRM code from UXP; since this will never be supported in any application building on it due to the media industrys draconic policies around FOSS.$$$Removed simd.js; moving actually used SIMD handling to C++.$$$Removed the use of libav in our source; replacing its supply of FFT with the equivalent from FFMpeg.$$$Fixed potential type confusion in IonMonkey due to 3-byte opcodes.$$$Fixed an issue with tooltips persisting even if the browser window would have lost focus.$$$Fixed PerformanceObserver navigation and resource timing (default disabled for privacy); our implementation now fully passes conformance tests.$$$Fixed an issue where top-level SVG images would not be correctly clipped by positioned elements; giving the impression of wrong z-ordering as the SVG would overlap other elements.$$$Dev: Updated setInterval to fall back to 0 if no duration is supplied.$$$Dev: Updated ResizeObserver to a recent spec change; now returning an array of results for borderBoxSize and contentBoxSize instead of an object.$$$Dev: Updated Intl.NumberFormat and DefaultNumberOption() to follow spec updates. Most importantly for web compatibility; we now allow the maximumFractionDigits option in Intl.NumberFormat to be less than the default minimum fraction digits for the chosen locale; following the general consensus in TC39 around this issue.$$$Increased leniency (removed upper limit) of GLSL versions as they tend to be fully backwards compatible.$$$Fixed various crashes.$$$Added a safeguard to the sec-gpc header (Global Privacy Control) so it cannot be inadvertently overwritten.$$$Security fixes: addressed CVE-2023-5722; CVE-2023-5723; CVE-2023-5724; CVE-2023-5727 and several other issues without a CVE number assigned to them.$$$UXP Mozilla security patch summary: 6 fixed; 2 DiD; 19 not applicable.$$$

v32.4.0 (2023-09-05)$$$This is a major development update; further improving web compatibility and fixing bugs.$$$$$$Changes/fixes:$$$Implemented the BigInt primitive type for JavaScript. See implementation notes.$$$Implemented Big(U)Int64 array support.$$$Implemented ergonomic brand checks for JavaScript class fields.$$$Aligned the Performance API with the Timeline v2 spec.$$$Aligned the handling of flex/grid percentages resolving against the parent with other browsers. See implementation notes.$$$Added or updated several user-agent overrides for problematic websites.$$$Added 2 preferences to allow users to disable CSS animations and transitions. See implementation notes.$$$Improved compatibility with MacOS 14.$$$Fixed an important; intermittent JavaScript crash related to garbage collection.$$$Fixed several crashes.$$$Fixed several debug build related issues.$$$Fixed an issue building on SunOS related to the spelling library.$$$Developer: Added ASan support for building with MSVC.$$$Added the .xll file extension to the executable extensions list.$$$Security issues addressed: several potential security issues that do not have a CVE number. DiD$$$UXP Mozilla security patch summary: 1 fixed; 3 DiD; 17 not applicable.$$$Implementation notes:$$$The BigInt primitive (base number format) in JavaScript allows JavaScript to handle excessively large integers (whole numbers). This primitive is especially useful for specialized scientific applications that need very large yet accurate numbers; but has seen widespread adoption for an as of yet unknown reason as part of web frameworks; causing general web compatibility issues for Pale Moon when scripts expect BigInt support and instead have an error thrown. We have now implemented this primitive for use so we no longer have compatibility issues with these frameworks. It is still unknown why BigInt is in use there and for what. Critical note: BigInt might be tempting to consider for JS-backed cryptography but this is very ill-advised; as BigInt operations are; by their nature; not constant-time and allow timing and side-channel attacks.$$$Flex and grid item sizes in percentages would previously be resolved against the parent like other elements; according to a very long-standing practice that stems from the Internet Explorer days. Mainstream browsers have; however; made an exception for flex items and grid items to no longer do this. We have now made the same exception for these types of elements which should solve layout issues on some websites (notably reserving too much space for items; often resulting in very large areas of whitespace or items being pushed out of view).$$$Two preferences were added (layout.css.animation.enabled and layout.css.transition.enabled) to allow users to completely disable CSS-based animations and transition effects. This was a request by users as both a performance and accessibility consideration. Please note that in some cases; disabling animations and transitions may have an impact on final web page layout; so you may run into some issues when disabling these animations and transitions as the web pages were designed to use them.$$$

v32.3.1 (2023-07-18)$$$This is a small but important bugfix release to address important regressions in 32.3.0.$$$$$$Changes/fixes:$$$Fixed intermittent crashes related to the performance API.$$$Fixed intermittent issues with JavaScript malfunctioning in chrome scripts (causing faults in the UI and extensions).$$$

v32.2.0 (2023-05-16)$$$This is another important; major development update; continuing our rapid development efforts in the v32 milestone.$$$With this version we should have restored web compatibility with the majority of reported problematic websites. If you were previously running into websites being problematic in Pale Moon; it may be a good idea to try them again with this release.$$$Special thanks to Job Bautista; martok; dbsoft; FranklinDM and Travis for continuing their hard work making this a reality!$$$This updates our UXP/Goanna platform version to 6.2.$$$$$$Changes/fixes:$$$Implemented dynamic module imports. See implementation notes.$$$Implemented exporting of async functions in modules.$$$Implemented JavaScript class fields. See implementation notes.$$$Implemented logical assignment operators ||=; &&= and ??=.$$$Implemented a solution for websites using the officially deprecated ambiguous window.event. This is disabled by default but can be enabled through about:configs dom.window.event.enabled preference. See implementation notes.$$$Implemented self.structuredClone() (this may be very obscure to anyone except web developers. Apologies ;-) )$$$Implemented Element.replaceChildren. Once again primarily a web developer note.$$$Improved Shadow DOM :host matching.$$$Implemented WebComponents CSS ::slotted() and related functionality.$$$Improved page caching in our memory allocator.$$$Added support for FFmpeg 6.0; especially important for bleeding-edge Linux distros.$$$Fixed a potential drawing deadlock for images; specifically SVG. This solves a number of hang-on-shutdown scenarios.$$$Fixed various crashes related to WebComponents and our recent JavaScript work.$$$Fixed various build-from-source issues on secondary target platforms.$$$Fixed various small browser front-end scripting issues that could lead to errors or broken functionality.$$$Fixed handling of async (arrow) functions declared inside constructors.$$$Fixed various small JavaScript conformance issues.

v32.1.1 (2023-04-18)$$$This is a bugfix and security release.$$$$$$Changes/fixes:$$$Fixed a crash in CompareDocumentPosition with Shadow DOM.$$$Fixed a crash with display:contents styling.$$$Added a preference to disable the TLS 1.3 protocol downgrade sentinel (see implementation notes).$$$Changed the way large clipboard copy/paste operations are handled; improving privacy (see implementation notes).$$$Improved filename safety when saving files to prevent potential environment leaks (bis).$$$Improved sanity checks of MIME type headers.$$$Security issues addressed: CVE-2023-29545 and CVE-2023-29539.$$$UXP Mozilla security patch summary: 2 fixed; 1 rejected; 49 not applicable.$$$Implementation notes:$$$Some proxies and middleware boxes improperly handle the TLS 1.3 protocol handshake causing an insecure downgrade to TLS 1.2. With our recent update of NSS; Pale Moon no longer allows this kind of protocol downgrade when trying to establish a TLS 1.3 connection to a server. The resulting error is ssl_error_rx_malformed_server_hello with an inability to connect to the server. To enable users to still connect to the servers or devices in question; weve added an option to switch off the downgrade sentinel. To switch it off as a temporary workaround; set security.tls.hello_downgrade_check to false.$$$If copy and paste operations to/from the browser are performed; Pale Moon writes clipboard contents to disk in a temporary cache file if the copy/paste amount is particularly large; to avoid using large amounts of memory to hold this data. The average paste/clipboard size doesnt tend to hit this limit in which case it is just held in memory.$$$Previously; these cache files; while in the O.S. temporary file location (%TEMP% or /tmp); would not be consistently cleaned up; potentially causing privacy issues if persisted. This was changed to using auto-cleaning anonymous temp files; improving user privacy and relying less on the O.S. or user performing cleanup of temporary file storage. Thanks to Sandra for pointing this out and providing the patch.

v32.1.0 (2023-03-21)$$$This is another major update with important compatibility improvements for the web. Most notably; our implementation of Google WebComponents is now at a state where we enabled them by default.$$$$$$Additionally; our Mac builds (for both Intel and ARM Macs) are no longer in beta and considered stable. Signed/notarized builds with the regular branding are available from the download page!$$$$$$Huge thanks to FranklinDM for his work this cycle getting us to this point. Of course major thanks to everyone who has contributed to this complex and difficult WebComponents task over a long time!$$$Thanks also to Martok and Job Bautista for continuing to work on and improve the JavaScript engine as well as u3shit for working on video playback improvements.$$$$$$Changes/fixes:$$$Shadow DOM and CustomElements; collectively making up WebComponents; have been enabled by default which should bring much broader web compatibility to the browser for many a site that uses web 2.0+ frameworks. See implementation notes.$$$Tab titles in the browser now fade if they are too long instead of using ellipses; to provide a little more readable space to page titles. Note that this may require some updates to tab extensions or themes.$$$A number of site-specific overrides have been updated or removed because they are no longer necessary or current with the platform developments in terms of web compatibility. We could use your help evaluating the ones that are still there; see the issue on our repo.$$$Updated our promises and async function implementation to the current spec.$$$Implemented Promise.any()$$$Fixed several crashes related to regular expression code.$$$Improved regular expression object handling so it can be properly garbage collected.$$$Fixed some VP8 video playback.$$$Fixed an issue where the caret (text cursor) would sometimes not be properly visible.$$$Updated the embedded emoji font.$$$Implemented the :is() and :where() CSS pseudo-classes.$$$Implemented complex selectors for the :not() CSS pseudo-class.$$$Implemented the inset CSS shorthand property.$$$Implemented the env() environment variable CSS function. See implementation notes.$$$Implemented handling for RGB encoded video playback (instead of just YUV).$$$Implemented handling for full-range videos (0-255 luminance levels) giving better video playback quality.$$$Removed the WebP image decoder pref. See implementation notes.$$$Enabled the Web text-to-speech API by default (only supported on some operating systems).$$$Updated NSPR to 4.35 and NSS to 3.79.4$$$Cleaned up unused tracking protection plumbing. See implementation notes.$$$Cleaned up URI Classifier plumbing (Google SafeBrowsing leftover).$$$Fixed several intermittent and difficult-to-trace crashes.$$$Improved content type security of jar: channels. DiD$$$Improved JavaScript JIT code generation safety. DiD$$$Fixed potential crash scenarios in the graphics subsystem. DiD$$$Improved filename safety when saving files to prevent potential environment leaks.$$$Security issues addressed: CVE-2023-25751; CVE-2023-28163 and several others that do not have a CVE.$$$UXP Mozilla security patch summary: 1 fixed; 4 DiD; 14 not applicable.$$$Implementation notes:$$$Google WebComponents has been long-running major feature work in UXP. Were finally at a level with this (after several setbacks and brick-walling) that it can be enabled by default. Please note that while this greatly improves web compatibility with many Chrome-focused websites using these controversial technologies; our implementation is not yet complete and more work is necessary. As a result; this change to enable it by default may actually break some previously-working websites as well; but its expected the majority will work at our current state of implementation. Please visit the forum if you need help with web compatibility issues.$$$The env() CSS function was implemented for compatibility with websites that rely on this without fallback. Note that this function actually has no real u

v32.0.1 (2023-02-21)$$$This is a bugfix and security update.$$$$$$Changes/fixes:$$$Fixed a crash in the new regular expression code.$$$Added {Extended_Pictographic} unicode property escape to regular expressions.$$$Fixed a regression in regular expressions for literal parsing of invalid ranges.$$$Updated NSS to pick up fixes.$$$Security issues addressed: CVE-2023-25733 DiD; CVE-2023-25739 DiD and CVE-2023-0767.$$$UXP Mozilla security patch summary: 1 fixed; 2 DiD; 14 not applicable.

v32.0.0 (2023-01-24)$$$This is a new milestone release.$$$Primary focus for this milestone is web compatibility; in particular Regular Expression extensions; standards compliance issues and further JPEG-XL support.$$$This milestone now offers full coverage of the ECMAScript 2016-2020 JavaScript specifications; with the exception of BigInt primitives.$$$Special thanks to Martok; Job Bautista and FranklinDM without whom this milestone would not have been possible; and to dbsoft for putting in the effort to work on Mac and FreeBSD builds.$$$$$$Most important changes:$$$Implemented Regular Expression named capture groups.$$$Implemented Regular Expression unicode property escapes.$$$Re-implemented Regular Expression lookaround/lookbehind (without crashing this time ;) ).$$$Implemented progressive decoding for JPEG-XL.$$$Implemented animation for JPEG-XL.$$$Implemented a compatibility mode for <button> elements. See implementation notes.$$$Renamed CSS offset-* properties to inset-* to align with the latest spec and the web.$$$Fixed CSS inheritance and padding issues in some cases.$$$Aligned parsing of incorrectly duplicated HSTS headers with expected behavior (discard all but the first one).$$$Implemented a method to avoid memory exhaustion in case of (very) large resolution animated images.$$$Updated the JPEG-XL and Highway libraries to a recent; stable version.$$$Cleaned up some unused CSS prefixing code.$$$Improved the ability to link on *nix operating systems with other linkers than gccs default.$$$Stability improvements (potential crash fixes).$$$Security issues addressed: CVE-2023-23598; CVE-2023-23599 and several others that do not have a CVE number.$$$UXP Mozilla security patch summary: 4 fixed; 2 DiD; 19 not applicable.$$$Platform support:$$$Were working on finalizing official builds for Mac OS and FreeBSD. These are currently in beta and can be downloaded from the Contributed Builds page. Please note that you may run into some system compatibility issues with these builds. If you do; please go to the forum and report it in the appropriate board!$$$Implementation notes:$$$To provide users with a temporary work-around for non-compliant websites; a compatibility mode for <button> elements was implemented; which will treat <button> elements as generic containers instead of actual form button elements. This has been necessary because Chrome is not standards compliant in this respect and website developers regularly make the mistake of trying to use active content on button faces and expecting pointer events to end up being sent to the active content and not the button (which is not what the standard prescribes! See content model on the standards page stating there must be no interactive content descendant). Webmasters should be alerted to this compliance issue; but it can (temporarily) be worked around in the browser from this point for forward by setting the preference dom.forms.button.standards_compliant to false and restarting the browser. Note that this is a workaround and the only actual solution is advocacy for the standard and more browsers becoming standards compliant.

v31.4.2 (2022-12-20)$$$This is a bugfix and security update.$$$$$$Changes/fixes:$$$Fixed JPEG-XLs transparency display for images with an alpha channel. $$$Temporarily removed regex lookbehind to stop crashes occurring on 32-bit builds of the browser.$$$Added some extra sanity checks to our zip/jar/xpi reader to avoid issues with corrupt archives.$$$Aligned cookie checks with RFC 6265 bis. See implementation notes.$$$Removed obsolete code in Windows widgets that could cause potential issues with long paths and file names on supported versions.$$$Fixed several crashes.$$$Security issues addressed: CVE-2022-46876; CVE-2022-46874 and several others that do not have a CVE number.$$$UXP Mozilla security patch summary: 4 fixed; 20 not applicable.$$$Implementation notes:$$$RFC 6265 has been worked on with draft changes describing how cookies are actually being handled in the real world; in the bis versions of the RFC. While these changes have not yet been finalized; browsers in general do adhere to the latest available bis version of this RFC. Specifically; the long-standing exceptions for cookie names and values have been formalized; e.g. having quoted values. Our behavior has changed in that we now once again accept Tab characters (0x09) which is the one excluded control character from the range that is otherwise forbidden. We also no longer apply these checks exclusively to those in http headers; and any way of setting cookies must now adhere to the valid range. Cookies that fail these range checks for valid characters will be ignored.$$$

v31.4.1.1 (2022-12-01)$$$32-bit Windows only!$$$$$$This is a rebuild of 31.4.1 for Windows 32-bit to address run-time crashes on Windows 7 32-bit on older hardware.

v31.4.1 (2022-11-29)$$$This is a bugfix release.$$$$$$Changes/fixes:$$$Fixed wrong color of decoded JPEG-XL images.$$$Fixed an issue with plugins not receiving keypress events properly.

v31.4.0 (2022-11-22)$$$This is a major development update; adding JPEG-XL image support among other things.$$$$$$Changes/fixes:$$$Added support for the JPEG-XL image format.$$$Implemented regular expressions lookaround/lookbehind.$$$Aligned CORS header parsing with the updated spec. See implementation notes.$$$We no longer fire keypress events for non-printable keys. See implementation notes.$$$Added support for MacOS 13 Ventura in the platform; primarily benefitting White Star.$$$Fixed potentially problematic thread locking code on *nix platforms.$$$Fixed some small issues in the display and operation of the Web Developer tools.$$$Removed unused but performance-impacting panning and tab animation measuring code. (telemetry leftovers)$$$Improved code for SunOS builds.$$$Updated Internationalization data for time zones.$$$Fixed a buffer overflow for Mac builds.$$$Security issues addressed: CVE-2022-45411 and potential issues without a CVE number.$$$UXP Mozilla security patch summary: 2 fixed; 1 DiD; 1 deferred; 25 not applicable.$$$Implementation notes:$$$CORS support has been updated to the current spec. Most importantly; Pale Moon now accepts wildcard entries (*) for the CORS statements Access-Control-Expose-Headers; Access-Control-Allow-Headers and Access-Control-Allow-Method. Note that wildcards are ignored (according to the spec) when credentials are passed.$$$Pale Moon will no longer fire the keypress events in content when the key pressed is a non-printable key. This is in response to issues where webmasters would use rudimentary and naïve input-restricting scripts in onkeypress handlers that would not take into account editing keys or navigation keys; causing issues for users trying to enter data into forms (and e.g. finding they could no longer use backspace; cursor keys or tab). This aligns our behavior with other browsers for web compatibility; although it should be considered a website error expecting not all keypresses to be intercepted in keypress events.

v31.3.1 (2022-11-01)$$$This is a security and compatibility update.$$$$$$Changes/fixes:$$$Added detection suport for the newly-released MacOS 13 (Ventura).$$$Fixed a potential heap Use-After-Free risk in Expat. (CVE-2022-40674) DiD$$$Fixed potentially undefined behavior in our thread locking code. DiD$$$Fixed a potentially exploitable crash in the refresh driver.$$$Fixed potentially undefined behavior when base-64 decoding. DiD$$$Implemented a texture size cap for WebGL to prevent potential issues with some graphics drivers. DiD$$$Updated site-specific overrides to address issues with ZoHo.$$$UXP Mozilla security patch summary: 1 fixed; 2 DiD; 6 not applicable.

v31.3.0.1 (2022-09-28)$$$This is a small update to back out the changes to handling of flex containers in 31.3.0 since it caused severe usability issues on several websites.

v31.2.0.1 (2022-08-03)$$$This is a small out-of-band update to address the fact that the final builds did not include the intended NSS library update.