Pale Moon Version 28.4.0 Released with Security Updates

Pale Moon has been updated to version 28.4.0.  This is a major development, stability and security release. The Linux versions will follow later today.

A fix identified as "DiD" ("Defense-in-Depth") means that it is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered. 

From the Release Notes:


Security fixes:

• Fixed a potential use-after-free in IndexedDB code. (DiD)
• Improved proxy handling to avoid localhost getting proxied. (CVE-2018-18506)
• Ported upstream Skia fixes. (CVE-2018-18356, CVE-2018-18335)
• Fixed an additional Skia issue. (CVE-2019-5785)
• Fixed several potentially-exploitable memory safety hazards and crashes. (DiD)
• Fixed a possible data race when performing compacting GC.

Changes/fixes:

• Removed more telemetry code from the platform.
• Fixed implementation of the IntersectionObserver API to avoid crashes, and enabled it by default.
• Switched to the new ffmpeg decode API to avoid dropping of frames.
• Fixed a buffering issue in the WebP decoder that caused intermittent browser crashes.
• Improved resource-efficiency for internal stopwatch timers.
• Improved handling of incorrectly-encoded CTTS in media files, resolving some playback issues of videos.
• Improved the Cycle Collector and Garbage Collector.
• Improved fullscreen navigation bar handling in the situation it has focus when switching to full screen.
• Aligned instanceof with the final ES6 spec.
• Improved Windows DIB (bitmap) clipboard data handling.
• Exposed TLS 1.3 cipher suite prefs in about:config in case people want to disable them individually.
• Allowed empty string on the location.search setter to clear URL query parameters from JS.
• Added a potential fix for external links not opening in the current window/tab (untested).
• Enabled C++11 thread-safe statics in the entire application.
• Updated several preferences for integration with the new add-ons site.

 Download:

• Pale Moon for Windows
• Pale Moon for Linux

Update

To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...