Pale Moon has been updated to version 33.3.0. This is a major development update.
Important notes with this version:
- From this version forward, all 64-bit releases require a processor with AVX capabilities! Please keep en eye on the forum for announcements of 64-bit SSE builds by the community if you are on particularly old or otherwise limited hardware that does not support AVX.
- For Linux users: Starting with this version, our binaries are built with gcc 11 on a still conservative but more modern build platform (Oracle Linux 8). As a result, there may be some lib incompatibilities if you are still running on a particularly old distro for some reason. While we try to serve as broad of a Linux base as possible with our binaries, our lowest common denominator will occasionally shift to newer distros as a result of O.S. life cycles, compiler capabilities and available libraries.
Changes/fixes:
- Implemented the bulk of the CSS "cascade layers" spec (
@layer{}
). This implementation is not 100% complete yet, but should satisfy common use of CSS cascade layers on the web.
- Implemented support for
Sec-Fetch-*
headers, implementing another mechanism to deal with site security. See this part of the spec for a primer on what this does. - Added support for FFmpeg 7.0 / libavcodec 61 (Linux).
- Pale Moon will now look up hosts in DNS ahead of time to make page navigation smoother. See implementation notes.
- Pale Moon will now block access to the reserved address 0.0.0.0 on non-Windows operating systems. See implementation notes.
- Dev: Aligned rounding behavior and precision ranges of
toFixed
and related functions with the spec. See implementation notes. - Dev: Aligned isTrusted for
PostMessage
and BroadcastChannel
with expected values on the web. See implementation notes. - Dev: Added the
navigator.webdriver
attribute for web compatibility (always false in Pale Moon as we do not support browser automation APIs).
- Re-implemented the Durstenfeld shuffle for plugin enumeration that was unfortunately dropped with one of our past rebases, to strengthen fingerprinting resistance.
- Fixed an issue with character clusters (e.g. for text selection) resulting from a regression surrounding our improvements for emoji handling.
- Fixed an issue with setting DOM color values. DiD
- Slightly improved password form handling, detecting previously unsupported field orders.
- Updated NSS to 3.90.4.
- Updated our emoji font to 15.1.2 (Unicode 15.1 with some additional extras/updates).
- Code cleanup:
- Removed unused code related to the (incomplete) FoxEye experiment.
- Removed support code for LibAV and (very) old versions of FFmpeg. We require libavcodec 58 or later (FFmpeg 4.0+) from this version forward (Linux).
- Removed click event dispatching code that is no longer relevant.
- Cleaned up internal macro use in CSS code (this does not impact any exposed APIs or code).
- Removed the hidden
network.dns.disablePrefetchFromHTTPS
pref. DNS prefetching should not be treated differently for http and https.
- Security issues addressed: CVE-2024-7531.
Implementation notes:
- Pale Moon will now pre-emptively look up the internet addresses in DNS for website navigation (e.g. from links). This speeds up navigation as there will be no delay for DNS lookups when users navigate to a new host or domain from the visited page. Please note that this only deals with DNS (i.e.: looking up the addresses of websites in the domain name system) and Pale Moon will not pre-emptively connect to the servers in question; it will just have the addresses for them ready in case the user decides to navigate to them.
For some people, this may still be seen as a privacy issue (e.g. when the DNS server operated within an organization is tightly monitored for "unwanted traffic") as it will regularly fire DNS lookups for hosts or domains the user doesn't actually visit, so if this is a concern for you and you wish to revert to our previous behavior, go to Preferences -> Advanced -> tab "Network", and uncheck "Prefetch DNS lookups". - Pale Moon will no longer allow connecting to the "this machine" special reserved address 0.0.0.0 (and IPv6 equivalents [::]/[::0.0.0.0]) on operating systems other than Windows. This is to mitigate potentially unrestricted access to local resources on UNIX-like operating systems due to the way the network stack operates there. If needed for your use case, you can control this behavior through the preference
network.dns.blockQuad0
-- if set to true
, any attempt to connect to the reserved addresses will result in an error.
- We aligned behavior of number conversions with what is generally expected on the web by mainstream browser engines and/or updated specs. Specifically,
toFixed
no longer accepts negative precision ranges, and toExponential
will now round up at the midpoint in the decimal significand. - Initially, the mechanisms
BroadcastChannel
and MessagePort
implicitly called for dispatched events to not be trusted, but since browsers marked them as trusted, this was in conflict with the spec. Eventually, the spec for this was changed to make them trusted in this case. Pale Moon now follows this behavior as well.
*DiD: This means that a fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.
**Rejected security patches: This means that patches were theoretically applicable to our code but considered undesirable, which could be due to unwanted changes in behavior, known regressions caused by the patches, or unnecessary risks for stability, security or privacy.
Pale Moon includes both 32- and 64-bit versions for Windows: Pale Moon for Windows downloads.
Update: To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window. Select About Pale Moon > Check for Updates.
Release Notes
Release Cycle
Remember - "A day without laughter is a day wasted."