*DiD stands for "Defense-in-Depth" and is a fix that does not apply to an actively exploitable vulnerability in Pale Moon but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.Details from the Release Notes:
Security and Privacy Changes:
- Added support for 256-bit AES-GCM encryption.
- Added support for ChaCha20-Poly1305 encryption.
- Removed support for Camellia-GCM since nobody seems interested in it.
(Camellia in 128/256-bit CBC block mode is still fully supported).
- Added support for SHA-224, SHA-256, SHA-384 and SHA-512 to Crypto utils.
- Improved status handling of secure sites to be less sensitive to "insecure" items that are local.
- Fixed print preview hijacking. (CVE-2017-5421)
- Fixed a potentially exploitable crash in OnStartRequest. (CVE-2017-5416)
- Fixed potential cross-origin content-stealing through a timing attack. (CVE-2017-5407) DiD
- Fixed a denial-of-service problem with view-source. (CVE-2017-5422)
- Fixed crash in directional controls. (CVE-2017-5413)
- Fixed a perceived problem with chrome manifests. (CVE-2017-5427)
- Fixed the use of an uninitialized value. (CVE-2017-5405)
- Fixed a buffer overflow. (CVE-2017-5412)
- Fixed a UAF situation. (CVE-2017-5403)
- Fixed a potential spoofing issue with the address bar. (CVE-2017-5417)
- Fixed a potential issue in libvpx. (CVE-2017-5402) DiD
- Fixed a potential issue with HTTP auth. (CVE-2017-5418)
- Fixed several memory safety hazards and potentially exploitable crashes. DiD
- Updated the ICU lib to 58.2 to fix a number of issues.
- Added proper control for the user for offline storage for web applications.
- Added a check to prevent auto-filled URLs from copying the auto-filled selection to clipboard/primary.
- Added the feature to pass a URL to open in a private window from the command-line.
- Improved the display of the downloads indicator on the button in bright-text situations.
- DOM storage now honors the "3rd party cookie" setting in that it will not allow 3rd party data to be stored if 3rd party cookies are disallowed.
- Allowed toolbar button badges to be properly styled.
- Updated the hunspell spellchecking library to 1.6.0 to fix a number of issues.
- Fixed desktop notifications being off-screen if fired in rapid succession.
- Added Element.insertAdjacentElement and Element.insertAdjacentText DOM functions.
- Added support for JPEG-XR images.
This makes Pale Moon have the broadest support for image formats of all web browsers.
(enabled by default; you can disable this with media.jxr.enabled).
- Completely removed the use of GStreamer on Linux.
- Added support for element.innerText.
- Custom toolbars should now properly remember their state.
- Fixed some more playback issues with MP4/MSE videos.
Please be aware that we are still working on further improving MSE video handling.
- Changed media processing to reduce dangerous processing asynchronicity.
This should also make media elements and playback more responsive.
- Fixed a useragent string regression always displaying the minor Goanna version as .0
- Updated NSPR to 4.13.1.
- Updated NSS to 3.28.3-RTM.
- Fixed unrestricted icon sizes in PMkit buttons.
- Fixed unresponsive buttons on support page when not building the updater.
- Fixed the use of "View image" and "Save image as" on extremely large images.
- Changed the way "View Image" and "Save image as" work on canvas elements.
- Made checking for dangerously large resolution PNG images smarter.
It will now accept larger "strip"-aspect ratio images while reducing unsupported large image resolutions.
This will e.g. fix Gmail's "emoji" window that uses a ridiculously long but very narrow single image to store all the emoticon pictures.
- Converted several hard-coded URLs to preferences.
- Updated the google.com override so it would not cripple services based on UA sniffing.
- Added Inner and Outer Window ID administration.
- Fixed the add-on discovery pane detection.
- Added support for canvas ellipse.
- Improved drawing of certain MathML elements at problematic zoom levels.
- No longer building gamepad support.
- Updated Harfbuzz font shaper to 1.4.3 to fix a number of issues.
- Fixed a number of crashes (layout, plugins, uncommon navigation, bad URLs).
- Aligned SVG specular filters with the spec.
- Windows Vista/Windows 7/8/10/Server 2008 or later
- Windows Platform Update (Vista/7) strongly recommended
- A processor with SSE2 instruction support
- 256 MB of free RAM (512 MB or more recommended)
- At least 150 MB of free (uncompressed) disk space