Community Manager
Staff member
Pale Moon 25.8.1

28 Nov 2015:
Pale Moon 25.8.1 has been released which is a small update to address some important stability/usability issues.

Changes in Pale Moon 25.8.1:
  • Fix for a crash that could occur at random since the update to 25.8.0.
  • Fix for CSP (Content Security Policy) to be more lenient towards the incorrect passing of full URLs with all sorts of parameters in the CSP header, leading to misinterpretation of the header and incorrectly blocking the loading of content.
Download: Pale Moon 25.8.1 | 20.4 MB (Freeware)
Download: Portable Pale Moon 25.8.1 | 22.2 MB
Download: Pale Moon 25.8.1 x64 | 23.6 MB
Download: Intel Atom & Windows XP optimized Pale Moon 25.8.1 | 19.1 MB


Level 63
Pale Moon 26.0.0, public beta 3


  • Like
Reactions: darko999 and XhenEd


26.3.1 (2016-06-25)
  • Fixed an issue with new tab button theming on dark toolbars.
  • Reverted the useragent identification of Firefox compatibility mode to 38.9 to avoid WOFF2 font issues for sites that don't use proper font deployment as recommended by the W3C.
  • Added a site-specific override for Google fonts to make sure it always works even if not using Firefox compatibility mode.
    (workaround pending for a proper solution on Google's side)
  • Adjusted the "dark color" detection routine to switch text to white at higher relative contrast levels.
    This will more closely match Windows 10's "flip point" for different accent colors and is within the recommended range determined by the WCAG.
The Pale Moon Project homepage


Level 37
Anyone using this? What about its performance (x64) ?
Hello @yigido, having just updated it is performing well, and has not disappointed.:) It is a newly installed x64 on our Windows 10 system. Sync still does not recognize email as valid to start an account, and I've :eek:deleted our portable versiono_O which no longer opened in Sanboxie.
Update: Hooray! Sync worked today by accepted my entrys!:p
Last edited:


26.3.3 (2016-07-01)
Another small bugfix update to address some breaking issues. Sorry for the rapid-fire releases, everyone; this is not our intention.

  • Fixed an additional issue found that could cause menu text on Windows 10 to be white-on-white (and therefore unreadable).
  • Fixed an issue with news feeds not showing up when embedded in web pages.
  • Removed recently-added parsing of the child-src content security policy directive, after some web compatibility issues with it came to light, as well as it becoming clear that the CSP spec will see it removed in favor of the previous directive for embedded content. This should fix some intermittent issues people have reported on e.g. the main google.com page and phpMyAdmin installations.
The Pale Moon Project homepage


Level 10
26.4.0 (2016-08-17)
  • Removed Google Search as a bundled search provider. If desired, you can manually install it (or other search engines) after the update by following the steps in the Manage Search Enginestopic.
  • Fixed the URL API to allow "stringification" of the object per specification. This should make a number of websites happy.
  • Added the ES6 string .includes() function in addition to the pre-existing .contains() function for checking if a string contains another string. The .contains() function is retained for compatibility with web and extension scripts that adhere to the ES6 pre-release specification up to and including RC3.
  • Fixed the calculation of standalone SVG embeds width and height, which should solve some reported issues with html5 graphs being displayed incorrectly.
  • Linux: improved memory allocation.
  • Updated the graphite font library to 1.3.9.
  • Added a blocking rule for F-Secure's 64-bit deepguard library to prevent crashes.
  • Updated the SQLite library to 3.13.0.
  • Download= properties of links are now honored from the context menu "Save" option.
  • Fixed a crash in the XSS filter.
  • Fixed a crash in the DOM error module.
  • Worked around a crash on Linux
  • Linux: Improved optimization and GCC6 compatibility (Note: compiling with GCC 6 is still not recommended and it may or may not work, depending on your environment)
Security fixes:
  • (CVE-2016-5251)Potential URL spoofing in the address bar.
  • (CVE-2016-0718) Context-dependent crash in expat 2.1.0.
  • (CVE-2016-5266) Outgoing dataTransfer items are not properly filtered.
  • Fixed potentially exploitable crash in the array splice implementation.
  • Fixed potentially exploitable crash caused by badly formatted ICO files.
  • (CVE-2016-5254) Heap-use-after-free in nsXULPopupManager::KeyDown
The Pale Moon Project homepage


Level 10
26.4.1 (2016-09-12)
This is a minor bugfix and security release.

  • Fixed a crash in the XSS filter.
  • Slightly changed the address bar shading on secure sites to be more subtle and easily-blended.
  • Fixed the occurrence of "null" titles in bookmarks dragged from special folders.
  • Fixed an error initializing the browser due to trying to restore scratchpad data from a stored session when having switched from a version with devtools to a version without devtools, and the previous version had scratchpad data saved.
  • Fixed some minor issues in scratchpad and gcli devtools.
Security fixes:
  • Updated the HSTS preload list to a much more updated source list, and performing our own checks on validity from now on to have the list be as accurate as possible.
  • Disabled Triple-DES cipher suites by default (mitigating SWEET32).
Portable-only: Changed the behavior to, by default, allow it to start a new copy or multiple copies without checking if Pale Moon is already running on the system. You will need separate profiles to run multiple browsers concurrently.

The Pale Moon Project homepage