Pale Moon 27.x.x Released

Status
Not open for further replies.

XhenEd

Level 28
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
27.0.0 (2016-11-22)

After about 8 months of development, we now have a new milestone release with literally too many changes to list even concisely. These release notes will therefore only highlight the most important parts of this release.
In this release we've done a full upgrade of our back-end platform, meaning many things work different "under the hood" and you may run into a number of extension compatibility issues as a result.

  • Support for DirectX 11 and Direct2d 1.1 on Windows. This will bring Pale Moon more in line with the capabilities for current-day operating systems and graphics hardware.
  • Update of the Goanna engine to 3.0 - with many changes to layout and rendering for the modern web.
  • Pale Moon now fully supports HTTP/2.
  • Ruby Annotations are now an integral part of the HTML parser, controllable with CSS.
  • Media Source Extensions have been implemented to solve many video playback issues.
    This can be enabled/disabled and configured in Options. It's recommended at this time to not enable MSE for WebM since there are a few issues with it on services like YouTube (e.g. losing audio when looping/skipping).
  • Support for reading and playing so-called "fragmented" MP4 files has been added, further solving media playback issues.
  • Support for SSL/TLS connections to proxy servers.
  • Support for the WOFF2 font format for downloadable fonts.
  • The JavaScript engine has been updated with support for many landmark ECMAScript6 features (chief among them promises and generators). This will solve many of the web compatibility issues that people have started to run into in the past few months (e.g. webmail interfaces, some sites coming up blank because they are script-generated).
  • The way web content is cached has been changed to be more efficient. If you want to immediately take advantage of this, clear your cache.

  • Removed support for Windows XP. If you are still running Windows XP, then your only option is to continue using Pale Moon 26.
  • Removed the internal PDF (pre)viewer. This module was not maintained, was unable to display even half of the PDF documents correctly, and could not reasonably remain included in the browser. Please use a separate reader and/or install a PDF reader plugin.
  • Disabled building of the devtools. They will not be included in release versions of Pale Moon from this point forward. If you are a web developer or otherwise need those tools, fear not! They are available as a browser extension.
  • Removed the active XSS filter. This feature, although effective, was prone to some instability and needs to be rewritten for the update of our platform. It may or may not return in the future, depending on whether the original author has time to rewrite parts of this filter implementation.
  • Removed support for Add-on SDK extensions (JetPack extensions), considering the Mozilla/Gecko SDK is no longer compatible with our combination of application and platform code.

  • All relevant security fixes up to and including Firefox 50 have been ported across from Mozilla to continue to provide an as secure as possible browser.
  • Several libraries have been updated to their latest versions to pick up any important vulnerability fixes.
  • There's a new option and control to determine whether to save zone information (marking files as "downloaded from the Internet") on downloaded files (Windows+NTFS). You can find this in Options.

  • Pale Moon 27 will initially only be available in English. We are working on getting localization done to have language packs available over time.
    Important: You can not use the previous language packs since many strings have changed. Trying to do so will likely prevent the browser from starting or functioning. Pale Moon will automatically disable language packs for the previous version, but if you have explicitly disabled add-on compatibility checking you may run into trouble.
  • We will continue to fully support the following:
    • NPAPI plugins
    • Extensions with binary/XPCOM components
    • XUL/Overlay and bootstrapped extensions
    • Complete themes
    • Unsigned and author-signed extensions
    • The Camellia encryption cipher (also in GCM mode)
    • Graphite font shaping
    • Sync 1.1 (albeit without support for syncing add-ons)
    • Full customization of the UI as before
 

XhenEd

Level 28
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
27.0.1 (2016-11-28)
This is a bugfix release for some of the issues that popped up with the new milestone.

  • Fixed removal of distribution/bundles/ copies of status bar code and ruby annotations code.
    This should clean up everything on install/upgrade that currently causes double code to create intermittent/odd behavior.
  • Backed out some media back-end changes to fix MSE playback on Twitch.tv and other similar sites.
  • Disabled pop-up network status in full screen by default (since video detection is rather iffy at the moment).
  • Fixed a regression causing the "reset profile" button to not appear in about:support on the default profile.
  • Worked around bad Netflix interface changes - it will now use a more compatible web UI.
    Please note that these Netflix changes were unrelated to the actual release of Pale Moon (26.5 is also affected).
  • Aligned base status bar colors with default prefs.
  • Fixed status bar options not being remembered.
  • Added an override for Amazon Prime videos so they won't stop us at the front door any longer when not using the Firefox Compatibility user agent mode.
  • Re-applied proper branding text to in-app licensing.
 

XhenEd

Level 28
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
27.0.2 (2016-12-02)
This is a minor update to address usability and security issues:​
  • Enabled Firefox Compatibility mode by default for the useragent string.
    Unfortunately too many websites (and especially the big players who should know better like Google, Apple and Microsoft) still require the "we must pretend to be Firefox if we want this site to work" status quo to be maintained, because people still insist on using useragent sniffing to determine "browser features", or even worse, discriminate against free choice of browser by flat-out refusing service (I'm looking at you, banking industry and cloud services!) when visiting websites just because companies don't want to provide assistance to any but users on the main 3.
    HTML offers plenty of ways to do proper feature detection; site owners should use them. Seriously people, it was a bad idea 20 years ago, and it's a worse idea in 2016.
  • The built-in devtools are back, and with a facelift!
    Thanks to some consistent community help, the built-in devtools, sorely missed by a number of our users, are back. They've received a code and style update and should be fully functional on the new platform. This was originally planned for 27.1, but it was decided to include this as soon as possible, not in the least to assist extension developers in their efforts to adapt to Pale Moon 27.
  • Security fix:
    Fixed a crash in SVG, related to CVE-2016-9079, as a defense-in-depth measure.
 

Svoll

Level 13
Verified
Top Poster
Well-known
Nov 17, 2016
627
Thumbs Up!! Thanks for the info... The new update fixed Twitch so its back as my default browser.

Latest NoScript I can get installed is 2.9.0.14, would there be any security issues using the out dated NS? Latest version of it is incompatible.
 

Vipersd

Level 6
Verified
Dec 14, 2014
285
27.0.3 (16.12.2016)

This is a bug-fix and security update.

Changes/fixes:
  • Fixed certain network errors not displaying.
  • Fixed network error page styling.
  • Fixed the writing of DOM storage data to tabs (should solve the "tabs not loading their contents" issue when migrating a profile and some other situations).
  • Disabled downloadable font unicode-ranges on non-Windows platforms.
  • Added a Google Fonts user-agent override for non-Windows platforms so they don't send unicode-ranged composite fonts (Feature detection? Google apparently still doesn't know what that is).
  • Re-enabled the reporting of CSS errors to the console by default to prevent issues with some extensions who rely on this (e.g. Stylish).
  • Fixed and updated preferences for location bar suggestions.
  • Fixed several x64-specific issues in memory allocation code (regression fix).
  • Fixed timer issues when resuming a computer from stand-by (regression fix).
  • Fixed a number of branding and textual issues in the browser.
  • Fixed prompting for the saving of off-line data (previously always allowed without prompting).
  • Fixed a layout regression that would cause block elements following left floats to not wrap to the next line if there wasn't enough clearance.
  • Fixed a mismatch in Firefox extension compatibility-mode installation where Firefox extensions served by addons.mozilla.org would be marked incompatible when trying to install.
Security-related and crash fixes:
  • Fixed use-after-free while manipulating DOM events and removing audio elements (CVE-2016-9899).
  • Fixed CSP bypass using the marquee tag (CVE-2016-9895).
  • Fixed a vulnerability in the internal Jetpack modules (CVE-2016-9903). DiD
  • Fixed use-after-free in Editor while manipulating DOM subtrees (CVE-2016-9898).
  • Fixed an error in the buffer logic in http-chunked decoder.
  • Fixed a crash in generational GC code (not in use by default) DiD
  • Fixed a compartment mismatch bug in plug-in code
  • Fixed a crash trying to get a nonexistent property.
  • Improved MediaRecorder's observer safety.
  • Fixed a crash related to document history.
DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.

You can install new version of NoScript if you save to desktop and then modify the xpi file.

Open the xpi file with some Archive manager and modify install.rdf file inside the archive, find the following line (see below) and change the number to 25 for example. Update the archive and then install xpi file to palemoon.

<em:minVersion>45.0</em:minVersion>
to
<em:minVersion>25.0</em:minVersion>
 
Last edited:
  • Like
Reactions: Svoll and XhenEd

XhenEd

Level 28
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
27.1.0 (2017-02-09)

This is a major update with lots of development and bugfixes. It also introduces the so-called "PMkit" modules, our effort to restore compatibility with Jetpack/SDK extensions and making it possible for extension developers to convert their SDK extensions with little effort to a Pale Moon compatible format. For more details please check the PMkit documentation on the developer wiki.

  • Reworked the media back-end completely (thanks Travis!) to use FFmpeg (including support for FFmpeg v3 and MP3 playback) and our own MP4 parser, and no longer relying on gstreamer on Linux, as well as adding some improvements on Windows for media parsing and playing.
  • On Linux, Apple .mov files of the correct type will also be played through FFmpeg now, for those rare occasions where they are still in use, considering there is no Quicktime plug-in available on that operating system.
  • Restored the classic about:config styling.
  • Added a fallback to US-ASCII if the autoconfig UTF-8 conversion fails.
  • Improved cross-compartment wrapper handling when managing a large number of tabs (fixes a performance regression with v27).
  • Changed the way audio and video synchronization is calculated to account for (slow) device latency, preventing things from getting out of sync on e.g. BlueTooth-connected speakers.
  • Changed the way scripts are handled when they are stopped from the "unresponsive script" dialog, to prevent browser lockup. We will now stop all scripts in the affected compartment in one go.
  • Fixed several errors in the devtools.
  • Fixed a nasty crash caused by cross-origin referrers.
  • Fixed the installer to allow 64-bit versions of the browser to be installed on Vista again.
  • Added HTML5-spec clipboard handling for content (cut&copy only -- paste is not allowed for security reasons).
  • Made multiple changes to the toolkit jetpack modules to cater to PMkit extensions.
    This should make running SDK-based modules as PMkit extensions fairly simple for extension developers. See the introductory text to these release notes.
  • Fixed a css layout issue: make max-width affect contributions to intrinsic min-width.
  • Implemented several updates to the permissions manager. Among others, Improved the permissions manager (about:permissions) with a more complete set of permissions for pages.
  • Removed otherwise unused Metro browser platform/widget code.
  • Removed support for non-standard/deprecated let blocks and expressions.
  • Made the use of let as a keyword versionless and ES6 compliant.
  • Made the privacy category in preferences a tabbed setup to better fit the current options.
  • Fixed a regression preventing certain MP4 video files from playing.
  • Fixed a regression where seeking in media files would halt playback/jump to the end of the stream.
  • Fixed a crash caused by certain downloadable fonts with DirectWrite in use.
  • Improved downloads-button indicator legibility on some combinations of Windows versions and system theme colors.
  • Changed the Facebook user-agent override to be our native one, based on reports from users that it is (finally) working acceptably.
  • Fixed site-specific useragents being ignored if a global override is defined.
  • Changed CORS handling to allow data: sources, assuming they are same-origin. This should fix the infamous "Facebook endless reload" issue and may make some other sites that assume this particular (unspecified) CORS behavior happy with Pale Moon.
  • Reinstated the network.stricttransportsecurity.enabled preference so people who choose privacy over HSTS can do so again.
  • Added, In HSTS "off" state, prevention of HSTS site status from being written to disk.
  • Updated the IDN blacklist with more extended unicode characters that "look very similar to" normal ASCII characters, to prevent spoofing of well-known domains. If blacklisted characters are found, the IDN domain name will be displayed in its punycode form. (CVE-2017-5383 and similar)
  • Fixed an exploitable crash when using MP4 video. (CVE-2017-5396)
  • Fixed an exploitable crash in XSL parsing. (CVE-2017-5376)
  • Fixed a potential security issue when exporting certificates with specially-crafted credentials. (CVE-2017-5381)
  • Fixed a potential use-after-free situation in frame selection. (CVE-2017-5380) DiD
  • Fixed a leak of window details through the Ion compiler in certain situations.
  • Fixed the potential for an exploitable crash involving Javascript GC. DiD
  • Fixed a potential overflow situation in (non-released) WebRTC code. DiD
  • Fixed a potentially unsafe situation in websockets. DiD
  • Fixed several memory and other safety hazards (BMO bugs 1318766, 1325877, 1328834 DiD, 1288561 DiD, 1322420 DiD, 1293327 DiD, 1322315, 1325344, 1285960).
DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.
 

XhenEd

Level 28
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
27.1.1 (2017-02-21)
This is a stability and bugfix update to the browser.

  • Implemented a fix in media handling to prevent crashes with concurrent videos and/or rapidly starting/stopping video playback in the browser.
  • Fixed the way the Adobe Flash plugin is detected to prevent confusion with other plugins that identify themselves as "Flash" (e.g. VLC).
  • Windows: Solved stability issues caused by the release build process, resulting in unexpected behavior (e.g. hangups).
 

XhenEd

Level 28
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
27.2.0 (2017-03-18)
This is a major update to the browser with a focus on back-end improvements and security.

  • Updated the ICU lib to 58.2 to fix a number of issues.
  • Added proper control for the user for offline storage for web applications.
  • Added a check to prevent auto-filled URLs from copying the auto-filled selection to clipboard/primary.
  • Added the feature to pass a URL to open in a private window from the command-line.
  • Improved the display of the downloads indicator on the button in bright-text situations.
  • DOM storage now honors the "3rd party cookie" setting in that it will not allow 3rd party data to be stored if 3rd party cookies are disallowed.
  • Allowed toolbar button badges to be properly styled.
  • Updated the hunspell spellchecking library to 1.6.0 to fix a number of issues.
  • Fixed desktop notifications being off-screen if fired in rapid succession.
  • Added Element.insertAdjacentElement and Element.insertAdjacentText DOM functions.
  • Added support for JPEG-XR images.
    This makes Pale Moon have the broadest support for image formats of all web browsers.
    (enabled by default; you can disable this with media.jxr.enabled).
  • Completely removed the use of GStreamer on Linux.
  • Added support for element.innerText.
  • Custom toolbars should now properly remember their state.
  • Fixed some more playback issues with MP4/MSE videos.
    Please be aware that we are still working on further improving MSE video handling.
  • Changed media processing to reduce dangerous processing asynchronicity.
    This should also make media elements and playback more responsive.
  • Fixed a useragent string regression always displaying the minor Goanna version as .0
  • Updated NSPR to 4.13.1.
  • Updated NSS to 3.28.3-RTM.
  • Fixed unrestricted icon sizes in PMkit buttons.
  • Fixed unresponsive buttons on support page when not building the updater.
  • Fixed the use of "View image" and "Save image as" on extremely large images.
  • Changed the way "View Image" and "Save image as" work on canvas elements.
  • Made checking for dangerously large resolution PNG images smarter.
    It will now accept larger "strip"-aspect ratio images while reducing unsupported large image resolutions.
    This will e.g. fix Gmail's "emoji" window that uses a ridiculously long but very narrow single image to store all the emoticon pictures.
  • Converted several hard-coded URLs to preferences.
  • Updated the google.com override so it would not cripple services based on UA sniffing.
  • Added Inner and Outer Window ID administration.
  • Fixed the add-on discovery pane detection.
  • Added support for canvas ellipse.
  • Improved drawing of certain MathML elements at problematic zoom levels.
  • No longer building gamepad support.
  • Updated Harfbuzz font shaper to 1.4.3 to fix a number of issues.
  • Fixed a number of crashes (layout, plugins, uncommon navigation, bad URLs).
  • Aligned SVG specular filters with the spec.

  • Added support for 256-bit AES-GCM encryption.
  • Added support for ChaCha20-Poly1305 encryption.
  • Removed support for Camellia-GCM since nobody seems interested in it.
    (Camellia in 128/256-bit CBC block mode is still fully supported).
  • Added support for SHA-224, SHA-256, SHA-384 and SHA-512 to Crypto utils.
  • Improved status handling of secure sites to be less sensitive to "insecure" items that are local.
  • Fixed print preview hijacking. (CVE-2017-5421)
  • Fixed a potentially exploitable crash in OnStartRequest. (CVE-2017-5416)
  • Fixed potential cross-origin content-stealing through a timing attack. (CVE-2017-5407) DiD
  • Fixed a denial-of-service problem with view-source. (CVE-2017-5422)
  • Fixed crash in directional controls. (CVE-2017-5413)
  • Fixed a perceived problem with chrome manifests. (CVE-2017-5427)
  • Fixed the use of an uninitialized value. (CVE-2017-5405)
  • Fixed a buffer overflow. (CVE-2017-5412)
  • Fixed a UAF situation. (CVE-2017-5403)
  • Fixed a potential spoofing issue with the address bar. (CVE-2017-5417)
  • Fixed a potential issue in libvpx. (CVE-2017-5402) DiD
  • Fixed a potential issue with HTTP auth. (CVE-2017-5418)
  • Fixed several memory safety hazards and potentially exploitable crashes. DiD
DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.

Pale Moon Windows 32-bit downloads
Pale Moon Windows 64-bit downloads
Pale Moon - portable!
 

XhenEd

Level 28
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
27.2.1 (2017-03-24)
This is a small update to fix some stability and usability issues.

  • Fixed an issue with planar alpha handling (transparency) when drawing JXR images.
  • Fixed a crash related to a change JavaScript array handling introduced in 27.2.0.
    This became apparent with the pentadactyl extension, but could happen in other situations as well.
  • Fixed a crash when opening ridiculously large images with HQ scaling enabled (default).
    Pale Moon will now only apply HQ scaling for images within reasonable limits (64 Mpix or smaller). Images larger than that may not display properly when zooming in, or may not display at all, even scaled down (e.g. >256 Mpix large) and show a "broken image" placeholder instead; please use dedicated image viewer applications for those kinds of images; it is outside the scope of a web browser to handle such large images.
  • Changed the way URL hashes are handled, and will no longer %-decode anchor hash identifiers by default.
    Note that this is against RFC 3986, which states that any part of the URL scheme that isn't data should be decoded.
    This is required for web compatibility because several sites use hash links to pass actual data to web applications (Please don't do this! Hashes ar part of the URL address, should only consist of "safe" characters, and aren't suited to pass arbitrary data) and the most common browsers no longer follow the RFC in that respect.
    If you want RFC compliance, switch dom.url.getters_decode_hash to true
  • Restored 2 RSA Camellia cipher suites that were missing: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA and TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
  • Fixed an issue with custom toolbars getting deleted during upgrade from 27.0/27.1 to 27.2

The Pale Moon Project homepage
Pale Moon Windows 32-bit downloads
Pale Moon Windows 64-bit downloads
Pale Moon for Linux - Home
Pale Moon - portable!
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
27.2.1 (2017-03-24)
This is a small update to fix some stability and usability issues.

  • Fixed an issue with planar alpha handling (transparency) when drawing JXR images.
  • Fixed a crash related to a change JavaScript array handling introduced in 27.2.0.
    This became apparent with the pentadactyl extension, but could happen in other situations as well.
  • Fixed a crash when opening ridiculously large images with HQ scaling enabled (default).
    Pale Moon will now only apply HQ scaling for images within reasonable limits (64 Mpix or smaller). Images larger than that may not display properly when zooming in, or may not display at all, even scaled down (e.g. >256 Mpix large) and show a "broken image" placeholder instead; please use dedicated image viewer applications for those kinds of images; it is outside the scope of a web browser to handle such large images.
  • Changed the way URL hashes are handled, and will no longer %-decode anchor hash identifiers by default.
    Note that this is against RFC 3986, which states that any part of the URL scheme that isn't data should be decoded.
    This is required for web compatibility because several sites use hash links to pass actual data to web applications (Please don't do this! Hashes ar part of the URL address, should only consist of "safe" characters, and aren't suited to pass arbitrary data) and the most common browsers no longer follow the RFC in that respect.
    If you want RFC compliance, switch dom.url.getters_decode_hash to true
  • Restored 2 RSA Camellia cipher suites that were missing: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA and TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
  • Fixed an issue with custom toolbars getting deleted during upgrade from 27.0/27.1 to 27.2

The Pale Moon Project homepage
Pale Moon Windows 32-bit downloads
Pale Moon Windows 64-bit downloads
Pale Moon for Linux - Home
Pale Moon - portable!

Hi

First time expose to Pale Moon.

Compared to Firefox which is more secure and faster? What are the additional security features provided over Firefox, if any?

Thanks
 
  • Like
Reactions: XhenEd

XhenEd

Level 28
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
Hi

First time expose to Pale Moon.

Compared to Firefox which is more secure and faster? What are the additional security features provided over Firefox, if any? Does the portable version auto updates like its desktop version?

Thanks
I can't really compare Firefox and Pale Moon because I haven't used Firefox for a long time, and besides Pale Moon is Goanna-based (a Gecko engine fork) rather than Gecko-based. :)

I also have no idea about the portable version, as I don't use it. :)
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
I can't really compare Firefox and Pale Moon because I haven't used Firefox for a long time, and besides Pale Moon is Goanna-based (a Gecko engine fork) rather than Gecko-based. :)

I also have no idea about the portable version, as I don't use it. :)
I understand Pale Moon strips off those "unwanted" features from Firefox for speeding up purpose. But are there any security improvement over Firefox?

Thanks
 
  • Like
Reactions: XhenEd

XhenEd

Level 28
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
I understand Pale Moon strips off those "unwanted" features from Firefox for speeding up purpose. But are there any security improvement over Firefox?

Thanks
About security, I think it depends on one's perspective. Both browsers implemented security features over the years. Both have security fixes over the years. I really don't have the technical details, so I can't conclude. But Firefox has the multi-process, so maybe Firefox has the edge. But I'm really not sure (tell the Pale Moon dev about multi-process and he'll tell you that it's not worth the effort both for security and speed). :)
 

XhenEd

Level 28
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
27.3.0 (2017-04-28)
A major development update. Many things have changed in the media back-end, but please understand that some things are still a work in progress, and you may still encounter some html5 video playback issues with MSE.

  • Fixed up, checked and enabled vertical text writing modes!
    Pale Moon will now be able to display vertical, right-to-left script.
  • Added the option to reset non-default profiles.
  • Fixed various issues in the WebP image decoder.
  • Added internally-supported document types to allowed <embed> types.
  • Fixed locale selection in ICU after update to ICU58.
    (Note: Pale Moon uses the system locale for date formatting, not the browser locale)
  • Re-implemented the previous spellchecker dictionary logic (allow user override of document/element language, improve logic and make it unambiguous).
  • Ongoing fixes for the MP4 parser and MSE.
  • Made HTML Media Elements' preload attribute MSE-spec compliant.
    The preload attribute on HTML media elements is now ignored in the case of an MSE source. This prevents an issue with sourceopen not firing when preload="none".
  • Fixed some issues with Windows WMF media playback.
  • Fixed an issue with Synced preferences sometimes overwriting stored individual preferences.
  • Fixed display of RSS folder icons.
  • Fixed issues with custom context menus.
  • Fixed an issue importing bookmarks with separators losing their extra data.
  • Changed the way numeric addresses are handled in the address bar so it doesn't perform a search when it shouldn't.
  • Added an option (browser.sessionstore.cache_behavior) to control from which source restored tabs pull their page content:
    0 = load restored tab data from cache (current behavior, default)
    1 = refresh restored tab data from the network
    2 = refresh stored tab data from the network and bypass any cached data.
  • Improved upon a v27 performance regression with SVG scaling.
  • Improved performance by being more selective which CSS animations to process.
    As a side-effect, elements changing their display from "none" to something visible now also animate.
  • Increased memory allocation for the use of very large PAC files.
  • Added menu entries for the permissions manager and improvements to its function and display.
  • Added preferences to control "highlight all" behavior of the find bar:
    accessibility.typeaheadfind.highlightallbydefault = true/false highlight all found words by default.
    accessibility.typeaheadfind.highlightallremember = true/false remember the last-used state of Highlight All.
  • Added devtools command-line options.
  • Added remote IP and protocol to Devtools->Network entry details.
  • Added support for <details> and <summary> HTML tags.
  • Fixed a regression in the MSIE profile migrator.
  • Removed migration of browser-specific settings when migrating data from IE/Safari.
  • Implemented optional parameters for permessage-deflate in preparation for RFC7692 errata making acceptance of them mandatory (and to prevent web compat issues doe to the current conflicting text of it).
  • Made the image document favicon skinnable.
  • Aligned DOM selection addRange with the spec.
  • Exposed mozAnon constructor js binding to system scopes for XHR.
  • Enhanced form data handling from JavaScript.

  • Updated NSS to 3.28.4-RTM to address a number of issues.
  • Added support for RSA-AES(-GCM)-SHA256/384 suites to broaden compatibility.
  • Reconfigured networking security: disabled static DHE suites by default, enabled all RSA-AES(-GCM)-SHA256/384 suites in their stead.
  • Fixed referrer policy keyword to align with the current spec ("cross-origin" vs "crossorigin").
  • Added an option to display punycode domain for IDN websites to combat phishing.
    This is enabled by default for domain-validated https sites.
    Preference: browser.identity.display_punycode
    0 = Display IDN name in identity panel (previous behavior)
    1 = Display punycode name for DV SSL domains (default)
    2 = Also display punycode for HTTP sites if IDN name used
  • Fixed an issue to prevent contacting remote servers when a connection might get blocked.
  • Fixed 3 public security flaws in libevent, which may affect Mozilla-based products. DiD
  • Fixed several memory- and thread-safety hazards.
  • Fixed an address bar spoofing issue. (CVE-2017-5451)
  • Fixed a potentially exploitable crash with HTTP/2. (CVE-2017-5446)
  • Fixed several security hazards in XSLT processing. (CVE-2017-5438) (CVE-2017-5439) (CVE-2017-5440)
  • Fixed several security hazards in old protocols. (CVE-2017-5444) (CVE-2017-5445)
  • Fixed out-of-bounds access in text formatting. (CVE-2017-5447)
  • Fixed a potentially exploitable issue with innerText. (CVE-2017-5442)
  • Fixed a potentially exploitable issue in graphite font shaping.
  • Fixed a potentially exploitable crash with credential-authentication.
  • Fixed out-of-bounds access with text selection in rare cases.
  • Fixed a security hazard in the ANGLE library.


The Pale Moon Project homepage
Pale Moon - Release Notes
Pale Moon Windows 32-bit downloads
Pale Moon Windows 64-bit downloads
Pale Moon - portable!
Pale Moon for Linux - Your browser, your way!
 
Last edited:

XhenEd

Level 28
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
27.4.0 (2017-07-12)
This is a major update to straighten out most of the media streaming issues, as well as adding the necessary enhancements, bugfixes and security fixes to the browser.

  • Completely re-worked the Media Source Extensions code to make it spec compliant, and asynchronous as per specification for MSE with MP4. This should fix playback problems on YouTube, Twitch, Vimeo and other sites that previously had some issues. A massive thank you to Travis for his tireless work on making this happen!
    Please note that MSE+WebM (disabled by default) is not using this new code yet (planned for the next release), and as such there is a temporary set of things to keep in mind if you don't use default settings:
    • If you have previously enabled MSE+WebM, this setting will be reset when you update to avoid conflicting settings with the updated MSE code.
    • We've added an extra setting in Options to disable the updated MSE code (asynchronous use) in case you need to use WebM or are otherwise having issues with the updated code (please let us know in that case).
    • Once again, the MSE+WebM and Asynchronous MSE use are currently mutually exclusive. You can have one or the other, not both, until we sort out the code for WebM. To enable MSE+WebM you will first have to disable Asynchronouse MSE in settings (otherwise the WebM setting will be greyed out and disabled).
  • Added a control in options/preferences for HSTS and HPKP usage.
  • Changed HTML bookmark exports to write CRLF line endings to the file on Windows.
  • Leveraged multi-core rendering for libVPX (VP8/VP9 WebM decoding).
  • Fixed some issues accessing DeviantArt (useragent-sniffing).
  • Aligned CSS text-align with the spec.
  • Added a recovery module for browser initialization issues (e.g. when using a wrong language pack).
  • Fixed spurious console errors for XHR requests with certain http response codes.
  • Enabled v-sync aligned refresh for a smoother scrolling experience.
  • Removed support for CSS XP-theme media queries.
  • Improved console error reporting.
  • Fixed resetting toolbars and controls from the safe mode dialog.
  • Fixed bookmark recovery option from the safe mode dialog.
  • Fixed innerText getters for display:none elements.
  • Fixed a GL buffer crash that might occur with certain combinations of drivers and hardware.
  • Added some more details to about:support.
  • Fixed a potential crash when the last audio device is removed during playback.
  • Fixed a crash on about:support when windowless browsers are created.
  • Updated <select> elements to blank if the actively set value doesn't match any of the options.
  • Updated the interpretation of 2-digit years in date formats to match other browsers:
    0-49 = 2000-2049, 50-99 = 1950-1999.
  • Added "q" units to CSS (quarter of a millimeter).
  • Added .origin property to blobs.
  • Fixed several minor layout issues.
  • Fixed disabled HTML elements not producing the proper JS events.
  • Implemented web content handler blacklist according to the spec, allowing more than feeds to be registered.
  • Fixed a spec compliance issue with execCommand() on HTML elements.
  • Fixed a problem with table borders being drawn uneven or being omitted when zooming the page.
  • Added devtools "filter URLs" option in the network panel.
  • Added visual sorting options to the Network inspector.
  • Added importing of login data from Chrome profiles on Windows (Chrome has to be closed first).
  • Added importing of tags from bookmark export files (HTML format).
  • Updated usage of SourceMap headers with the updated spec (SourceMap header, keeping X-SourceMap as a fallback).
  • Fixed several cases of wrongly-used negations in JS modules.
  • Added the auxclick mouse event.
  • Added a control to not autoplay video unless it is in view (media.block-play-until-visible).
  • Updated the Graphite font library to 1.3.10.
  • Updated how image and media elements respond to window size changes (responsive design).
  • Added parsing and use of rotation meta data in video.
  • Fixed several crashes in a number of modules.
  • Fixed performance regression for scaling large vector images (e.g. MSIE Chalkboard test) \o/
  • Fixed some issues with notification icons.
  • Fixed some internal errors with live bookmarks.
  • Updated SQLite to 3.19.3.
  • Fixed several reported issues with devtools (cli-cookies, cli help, copying cURL, inspecting SVGs, element size calculations, etc.)
  • Fixed an issue where a server response was allowed to override add-ons' specified version ranges even for add-ons that have strict compatibility (e.g. themes, language packs).
  • Removed preloading of HPKP hosts and enabled HPKP header enforcement.
  • Added support for TLS 1.3, the up-next secure connection protocol.
  • Fixed an issue with TLS 1.3 not supporting renegotiation by design.
  • Relaxed some restrictions for CSP to temporarily work around web compatibility issues with the CSP-3 deprecated `child-src` directive.
  • Updated NSS to 3.28.5.1-PM to address some security issues.
  • Updated the installer selfextractor module to address unsafe loading of libraries.
  • Changed the way certain resources are included to reduce effectiveness of some common fingerprinting techniques. (e.g. browserleaks.org)
  • Fixed a regression in the display of security information in the page info dialog for insecure content.
  • Fixed two potential issues with allocating memory for video. DiD
  • Fixed a potential issue with the network prediction algorithm. DiD
  • Restricted the use of Aspirational scripts in IDNs to prevent domain spoofing, in anticipation of the UAX#31 update making this official.
  • Prevented a Mac font specific issue that could be abused for domain spoofing (CVE-2017-7763)
  • Fixed several potentially exploitable crashes. (CVE-2017-7751) (CVE-2017-7757) and some that do not have a CVE designation.

The Pale Moon Project homepage
Pale Moon - Release Notes
Pale Moon Windows 32-bit downloads
Pale Moon Windows 64-bit downloads
Pale Moon for Linux - Your browser, your way!
Pale Moon - portable!
 

XhenEd

Level 28
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
27.4.1 (2017-08-03)
This is a small update to address some media and web compatibility issues.

  • Fixed an issue where media playback would not use hardware acceleration properly when using MSE.
    This would cause high CPU usage and/or choppy playback for HD video on e.g. YouTube.
  • Fixed ES6 iterator chains to be spec-compliant.
  • Fixed ES6 vector append calls and some related memory leaks.
  • Added a workaround to reduce the likelihood of a potential rare (timing-critical) crash.



The Pale Moon Project homepage
Pale Moon - Release Notes
Pale Moon Windows 32-bit downloads
Pale Moon Windows 64-bit downloads
Pale Moon for Linux - Your browser, your way!
Pale Moon - portable!
 

XhenEd

Level 28
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
27.4.2 (2017-08-22)
This is a small update to address some security and stability issues.

  • Fixed a number of crashes.
  • Enabled the opt-in debugging feature to log SSL keys to a file in all builds.
  • Added a fix for TLS 1.3 handshakes causing a browser hangup.
    Handshakes should be considerably faster now and no longer stall in the wrong circumstances.
  • Updated NSPR to 4.15.
  • Updated NSS to 3.31.1.
  • Fixed a DoS issue using overly long Username in URL scheme (CVE-2017-7783)
  • Fixed an issue where (cross domain) iframes could break scope (CVE-2017-7787)
  • Fixed an issue in WindowsDllDetourPatcher (CVE-2017-7804)
  • Fixed an issue with elliptic curve addition in mixed Jacobian-affine coordinates (CVE-2017-7781)
  • Fixed a UAF in nsImageLoadingContent (CVE-2017-7784)
  • Fixed a UAF in WebSockets (CVE-2017-7800)
  • Fixed a heap-UAF in RelocateARIAOwnedIfNeeded (CVE-2017-7809) DiD (accessibility is disabled)
DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.

The Pale Moon Project homepage
Pale Moon - Release Notes
Pale Moon Windows 32-bit downloads
Pale Moon Windows 64-bit downloads
Pale Moon for Linux - Your browser, your way!
Pale Moon - portable!
 

XhenEd

Level 28
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
From: Pale Moon - Release Notes

27.5.0 (2017-09-26)
This is a major update furthering general development of the browser.
  • User interface:
    • Added a menu option to restart the browser.
    • Added Windows-specific CSS parameters and queries for the use of the system accent color. Added are parameters -moz-win-accentcolor and -moz-win-accentcolortext, and the media query -moz-win-accentcolor-applies to know if Windows is actively using an accent color.
    • Changed Windows' browser CSS sheet ot use variables instead of hard-coding colors, simplifying its style and making it more flexible. Further cleaned up the Windows 10 specific browser style.
    • Changed the theme on Windows 10 to use the new accent colors and improve O.S. consistency.
    • Fixed some general inconsistencies in the Windows theme on all Windows operating systems.
    • Updated Windows widgets to be able to pick up Windows 10 accent colors dynamically and have the browser 's look and feel respond accordingly, even with automatic color changes based on desktop wallpaper.
    • Removed the experimental FF4 prerelease status-in-addressbar feature because the already-crowded address bar needs a break. This should solve some extension interop issues, theme issues and domain highlighting issues people have reported.
    • Cleaned up some dead code for the plugin updater that no longer exists.
    • Fixed a text direction issue in preferences.
    • Fixed an issue with disabled context menu entries after using Customize...
    • Reorganized and cleaned up the status preferences.
  • Media:
    • MSE Media updates (ongoing). We are focusing on improving MP4 handling.
    • Improved MP3 metadata parsing (e.g. incorrect duration with embedded album cover)
    • Fixed a number of searching issues in MP3 files
    • Fixed a few crashes.
  • Fixed an issue with automatically exporting bookmarks to HTML on shutdown.
  • Fixed a regression re: domains allowed to/blocked from installing add-ons.
  • Fixed several internal errors thrown in the front-end.
  • Fixed several minor issues in the devtools.
  • Fixed a number of minor issues in the devtools.
  • Added a fix to prevent the home page from being loaded (and subsequently overridden) when restoring a session.
  • Added an option to control add-on blocklist behavior (Options -> Security)
  • Added DOM function isSameNode().
  • Added DOM onvisibilitychange event.
  • Added document.scrollingelement (CSSOM).
  • Added a basic implementation of Object.values and Object.entries enumerator functions (ECMA2017 draft).
  • Added "Open in new private window" to bookmarks, feeds and history entries.
  • Added HTTP request method OPTIONS.
  • Added an option to exit to a no-content page after encountering a network or security error.
    This is controlled with the preference browser.escape_to_blank -- when set to true, "Get me out of here" buttons will load a blank page instead of the browser's home page.
  • Added experimental Brotli accept-encoding (alternative to gzip/deflate compressed http data transfer). Disabled by default for now because it causes issues.
  • Improved the handling of several CSS selectors.
  • Changed session storage to remember form data for https sites by default.
  • Added (yet another) trap prevention method to onbeforeunload events.
  • Fixed privacy preferences not correctly resetting all options when choosing "Remember History"
  • Fixed not being able to deselect loading bookmarks in the sidebar.
  • Limited the display of user names and hosts in the http auth dialog to sane lengths, preventing over-sizing issues.
  • Fixed a number of potential crash points.
  • Improved the security of the Windows dll loader module.
  • Reinstated "Open all in tabs" option on folders of live bookmarks (feeds).
  • Made URL matching more liberal in selected text to make it easier to open stated addresses.
  • Fixed an issue with Graphite font rendering where automatic font collision fixing didn't always work.
  • Color Management for images is now disabled by default on Linux, due to many distributions not having a streamlined setup with sane default ICC profiles, which makes images look worse when color management is enabled.
  • Tightened the update security check to prevent acceptance of update manifests that have been intercepted/replaced through https MitM attacks.
    Please be aware that https-filtering antivirus may interfere with future application updates as a result.
  • Updated the ANGLE library to broaden WebGL support and reduce the potential of crashes (due to junk being sent to the video driver).
  • Added content-sniffing for WebP images (working around CloudFront's incorrect content-type headers).
  • Fixed a problem with some H.264 media not playing (SPS NAL).
  • Improved timer efficiency (switch back to lower precision when high precision is no longer needed, reducing CPU/power consumption).
  • Improved context search on selected text/links.
  • Updated address bar handling with Alt or Shift modifiers, so that "switch to tab" with a modifier can open copies of already-opened sites.
  • Added a fix on Linux for starting the browser from Enlightenment.
  • Privacy fix: Pale Moon will now clear QuotaManager storage (asm.js cache/IndexedDB data) as part of clearing Offline Website Data.

The Pale Moon Project homepage
Pale Moon Windows 32-bit downloads
Pale Moon Windows 64-bit downloads
Pale Moon for Linux - Your browser, your way!
Pale Moon - portable!
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top