Pale Moon has been updated to version 33.6.0. This is a development, bugfix and security update.
From the Release Notes:
"Due to the fact that CloudFlare has been causing application crashes that impacts many users, this release has been pulled forward a few days to address these crashes with priority (should be fixed in this release).
Please note that at the time of publication of this browser version and release notes, even though crashes have been fixed, CloudFlare is denying UXP-based browsers as well as several other independent/smaller browsers access to many websites by way of their malfunctioning "security check" or captcha, with no priority given to actually fix it despite it being denial of service for users of affected browsers. Please consider reporting any and all occurrences of a failing or looping CloudFlare checks on websites to CloudFlare as well as the owners of affected websites (you may have to temporarily use a Chromium-based browser to do this)."
Changes/fixes:
- Implemented a content sniffer for ADTS and raw AAC audio.
- Implemented AbortSignal.abort() and stub AbortSignal.timeout().
- Unprefixed the :modal CSS pseudo-class and exposed it to content.
- Improved efficiency and performance of the Cycle Collector.
- Added a check for explicit expectance of a percentage value in CSS HSL for the S and L components.
- Updated the cookie storage database to no longer use BaseDomain. See implementation notes.
- Updated CSS grid handling to no longer apply auto min-sizing when flex max-sizing (browser parity).
- Updated the root certificates in the internal trust store.
- Updated the Public Suffix List (eTLD) in the browser.
- Removed no longer specced URL Constructor(DOMString url, URL base).
- Restored unofficial branding to what it was before ("New Moon" instead of "Browser").
- Changed the default Firefox Compatibility user-agent version to 115.0.
- Fixed an issue where cloned <audio> or <video> elements would not respect the original element's muted state.
- Fixed a number of bugs and spec compliance issues in WebCrypto.
- Fixed installer application naming issue causing failure to detect running application.
- Fixed a crash when Interval handlers are present in scripts that are automatically terminated due to excessive runtime.
- Fixed a crash in JS Structured Cloning when the input would be bogus (CloudFlare-triggered crash).
- Fixed a crash in the XSLT stylesheet importing code.
- Updated NSS to 3.90.6 (custom) to pick up several security fixes.
- Security issues addressed: CVE-2025-1009.
Implementation notes:
- When updating the browser to this version, a one-way upgrade of the cookie database in your browser profile is performed on first start. The new cookie database is not backwards compatible, meaning you cannot use the browser profiles that have been upgraded by this version or later with any prior versions of the browser without data loss.
This is generally the case as most upgrades of user data storage are one-way, but having all your cookies cleared unintentionally is something most people prefer to avoid, hence this warning and a general reminder of profile migrations to newer versions that may happen with any (non-minor) browser upgrade.
Notes: *DiD This means that a fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.
Pale Moon includes both 32- and 64-bit versions for Windows: Pale Moon for Windows downloads.
Update: To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window. Select About Pale Moon > Check for Updates.
Release Notes
Release Cycle
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...
Mozilla sent Firefox Version 135.0.1 to the release channel. No updates were released for Firefox ESR.
