27.7.2 (2018-02-01)This is a security and stability update.|
DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.
- Changed the X-Content-Type-Options: nosniff behavior to only check "success" class server responses, for web compatibility reasons.
- Changed the performance timer resolution once more to a granularity of 1 ms, after evaluating more potential ways of abusing Spectre.
This takes the most cautious approach possible lacking more information (because apparently NDAs have been signed over this between mainstream players), follows Safari's lead, and should make it not just infeasible but downright impossible to use these timers for nefarious purposes in this context.
- Improved the debug-only startup cache wrapper to prevent a rare crash.
- Fixed a crash in the XML parser.
- Added a check for integer overflow in AesTask::DoCrypto() (CVE-2018-5122) DiD
- Fixed a potential race condition in the browser cache.
- Fixed a crash in HTML media elements (CVE-2018-5102)
- Fixed a crash in XHR using workers.
- Fixed a crash with some uncommon FTP operations.
- Fixed a potential race condition in the JAR library.
27.7.1 (2018-01-18)This is a minor emergency update to address website breakage and a theme issue.
- Added support for Array.prototype[@@unscopables].
- Fixed an issue with the default theme causing tab borders to be drawn too thick at higher settings for visual element scaling (125%/150%) in Windows.
27.7.0 (2018-01-15)This is a stability and bugfix release, as well as adding a number of new features to further improve web compatibility.
- Reorganized access to preferences (moved to the Tools menu on Linux, and renamed from "Options" to "Preferences" on Windows).
- Renamed "Restart with add-ons disabled" to "Restart in Safe Mode" to better reflect what it does.
- Worked around an issue with some improperly-encoded PNG files not decoding after our libpng update.
- Fixed an issue on Mac builds not properly populating the application menu.
- Added "My home page" as an option for new tabs.
- Added an option to disable the 4th and 5th mouse buttons (Windows).
(mouse.button4.enabled and mouse.button5.enabled, respectively)
- Improved the resetting of non-default profiles.
- Fixed an issue with details/summary having the incorrect height if floated, breaking layouts.
- Made several more improvements to the details/summary tags to align them with the current spec and fix some additional bugs.
- Implemented support for flex/columnset contents inside buttons to align its behavior with other browsers.
(this should fix layout issues with Twitch's new web interface)
- Fixed an issue where CSS clone operations would draw a border.
- Changed the way fractional border widths are rounded to provide more natural behavior.
- Fixed an issue where number inputs would incorrectly be flagged as read-only.
- Added assets for tile display in the Windows start panel.
- Finished sync infra swapover by adding a one-time pref migration for server used.
- Improved WebAudio API: Return the connected audio node from AudioNode.connect()
- Added support for a default playback start position in media elements.
- Fixed an assert in cubeb-alsa code (Linux).
- Added support for media cue-change events (e.g. subtitles).
- Updated SQLite to 3.21.0.
- Fixed a crash when trying to use the platform embedded.
- Fixed devtools (gcli) screenshots on vertical-text pages.
- Fixed devtools copy as cURL for POST requests.
- Improved the HTML editor component (several bugfixes).
- Added support for ES7's exponentiation a ** b operator.
- Fixed an issue with arrow functions incorrectly creating an 'arguments' binding.
- Disabled automatic filling in of log-in details by default to prevent potential risks of credentials being abused (e.g. for tracking) or stolen.
- Added a preference (in the category security) to easily enable or disable automatic filling in of log-in data.
- Removed the sending of referrers when opening a link in a new private window.
- Added an option to disable the page visibility Web API (dom.visibilityAPI.enabled), allowing users to prevent pages from knowing whether they are being actively displayed to the user or not.
- Removed the "ask every time" policy for cookies. For granular control, please use any of the excellent available extensions to regulate cookie use on a per-site or per-url basis.
- Added support for X-Content-Type-Options: nosniff (for scripts).
- Changed the resolution of performance timers to a level where any future potential abuse for hardware-timing attacks becomes impractical. DiD
27.6.2 (2017-11-28)This is a security and minor bugfix update to the browser.
This will most likely be the last update for 2017, with the holidays not far away.
- Implemented the concept of so-called "cookie-averse document objects" which is a security&privacy measure that blocks certain web content from setting cookies. This mitigates cookie-injection, which might help against "hidden" cookie tracking.
- Mitigated some domain name spoofing through IDN by using dotless-i and dotless-j with accents. (CVE-2017-7832)
Pale Moon will display these kinds of spoofed domains in punycode now in the actual address bar.
Please note that the identity panel will always be able to help you on secure sites when IDNs are in use to notice potential spoofing, as opposed to relying on detection algorithms in the URL itself. As such, some other issues like CVE-2017-7833 are already mitigated by us.
- Fixed an issue with mixed-content blocking. (CVE-2017-7835)
- Added an extra check for the correct signature data type on certificates.
- Added missing sanitization in exporting bookmarks to HTML. (CVE-2017-7840)
- Fixed several crashes and memory safety hazards.
- Fixed the Linux load throbber image to be properly encoded, to prevent flickering.
- Removed the shortcut key combination for restarting the browser to avoid issues with people using certain keyboard layouts hitting the combination and unintentionally triggering a browser restart.
27.6.1 (2017-11-15)This is a minor bugfix release to address some pressing issues people have reported.
- Fixed a regression with new windows (opening two windows from the command-line or file association, focus issues on new windows, not loading the home page in a new window, etc.)
- Aligned XHR with the currect spec to allow withCredentials.
- Fixed an input element focus issue within handlers.
- Fixed the processing of all-padding HTTP/2 frames to prevent rare HTTP/2 hangups.
- Updated CitiBank override to work around their login issues.
- Updated Netflix override to a community-supplied one that seems to satisfy their arbitrary restrictions better.
27.6.0 (2017-11-07)This is a major development update.
- Dropped support for Direct2D 1.0 to avoid font rendering issues. Windows installations not capable of using Direct2D 1.1 will now fall back to software rendering. As a result, fonts may look different from this version onwards if you are on Windows Vista or Windows 7. Users on Windows 7 affected by this should install the Platform Update to re-enable Direct2D.
- Updated the Brotli decoder library, and enabled support for Brotli HTTP content-encoding by default.
- Added notifications to inform users about WebExtensions not being supported if they try to install them (as opposed to "extension is corrupt")
- Added a number of DOM childNode convenience functions. This should fix some lazy-loading frameworks.
(enjoy your LOLcats again!)
- Changed automatic updates over to the new infrastructure.
- Added extra proxy settings in Options, covering DNS lookups through SOCKS v5 and automatic proxy authentication with known credentials.
- Added a selectable fallback character encoding of UTF-8 and fallback to UTF-8 as a last effort. (Issue #1423)
- Improved timing of canplay and canplaythrough firing to work around a potential race condition locking up queued video playback.
- Improved upmixing of mono sound for multi-channel setups.
- Fixed a parallelization issue with the KISS-FFT library causing CPU-deadlocked threads (Issue #1425)
- Fixed "Remove from history" function from the downloads panel.
- Forced focus on the address bar in new windows if the content is a blank/empty document.
- Fixed the dropmarker in the address bar to allow the suggestions to be closed with a click.
- Further cleaned up the status bar code.
- Disabled window.showModalDialog; it's been removed from the spec 2 years ago and has potential abuse issues (modal dialogs block the UI)
- Fixed image decoder calls to make sure the image load event doesn't fire prematurely.
- Updated LibPNG to 1.6.28, and enabled faster SSE2 decoding.
- Updated WOFF2 code from upstream.
- Updated the zlib compression library.
- Made general improvements to internal code structure and spec adherence.
- Fixed an issue with certain command-line parameters being used.
- Updated the default theme to improve consistency and contrast of toolbar and download buttons.
- Increased the default duration of notification pop-ups and made them configurable.
- Improved handling of audio-visual media (ongoing).
- Fixed an issue in CSS where elements would sometimes reflow to the next line even with sufficient visual space.
- Aligned the implementation of for(let x=y;;) loops with the final ES6 specification.
- Fixed the selection system inside of a nested contenteditable element being broken.
- Fixed Windows 10 detection for blocklisting graphics drivers.
- Enabled pasting of clipboard data in documents without an editor element to improve web compatibility.
- Fixed the uninstallation routine of restartless add-ons.
- Fixed the handling of unimplemented functions in the console API.
- Updated the Facebook user-agent to enable otherwise vendor-restricted functionality.
- Updated the SVG scaling cache limit to be more lenient for larger SVG images at a small performance trade-off, working around some sites' design issues.
- Added an option to clear Site Connectivity Data (delete history).
- Removed stale entries from the HSTS preload list, and improved generation/processing of it.
- Removed undesired certificate issuer organization to common name fallback (if issuer org is empty).
- Added pretty-printing for ECDSA-SHA224, 256, 384 and 512 hashed certificate signatures.
- Worked around some more issues with broken Apple fonts.
27.5.1 (2017-10-10)This is a security and stability update to the browser, as well as fixing some issues users have indicated.
- Changed the default Windows 10 styling when no accent color is applied to black-on-white.
- Changed the theme styling on Windows 10 when the system window frame is used (menu bar enabled) to use the window manager background directly, preventing visual lag updating the window color when it changes.
- Updated user agent overrides for DropBox, YouTube and Yahoo to work around user agent sniffing issues.
- Fixed a crash in the media subsystem.
- Fixed a regression where video playback hardware acceleration was disabled incorrectly on some systems.
- Updated the hyphenation library to the latest upstream code to fix a security issue.
- Updated NSPR to 4.16-RTM with a patch to un-bust building on win64.
- Updated NSS to 3.32.1-RTM.
- Worked around some more issues with Mac fonts (CVE-2017-7825).
- Fixed a potential rooting hazard in NPAPI plugin code. DiD
27.5.0 (2017-09-26)This is a major update furthering general development of the browser.
- User interface:
- Added a menu option to restart the browser.
- Added Windows-specific CSS parameters and queries for the use of the system accent color. Added are parameters -moz-win-accentcolor and -moz-win-accentcolortext, and the media query -moz-win-accentcolor-applies to know if Windows is actively using an accent color.
- Changed Windows' browser CSS sheet ot use variables instead of hard-coding colors, simplifying its style and making it more flexible. Further cleaned up the Windows 10 specific browser style.
- Changed the theme on Windows 10 to use the new accent colors and improve O.S. consistency.
- Fixed some general inconsistencies in the Windows theme on all Windows operating systems.
- Updated Windows widgets to be able to pick up Windows 10 accent colors dynamically and have the browser 's look and feel respond accordingly, even with automatic color changes based on desktop wallpaper.
- Removed the experimental FF4 prerelease status-in-addressbar feature because the already-crowded address bar needs a break. This should solve some extension interop issues, theme issues and domain highlighting issues people have reported.
- Cleaned up some dead code for the plugin updater that no longer exists.
- Fixed a text direction issue in preferences.
- Fixed an issue with disabled context menu entries after using Customize...
- Reorganized and cleaned up the status preferences.
- MSE Media updates (ongoing). We are focusing on improving MP4 handling.
- Improved MP3 metadata parsing (e.g. incorrect duration with embedded album cover)
- Fixed a number of searching issues in MP3 files
- Fixed a few crashes.
- Fixed an issue with automatically exporting bookmarks to HTML on shutdown.
- Fixed a regression re: domains allowed to/blocked from installing add-ons.
- Fixed several internal errors thrown in the front-end.
- Fixed several minor issues in the devtools.
- Added a fix to prevent the home page from being loaded (and subsequently overridden) when restoring a session.
- Added an option to control add-on blocklist behavior (Options -> Security)
- Added DOM function isSameNode().
- Added DOM onvisibilitychange event.
- Added document.scrollingelement (CSSOM).
- Added a basic implementation of Object.values and Object.entries enumerator functions (ECMA2017 draft).
- Added "Open in new private window" to bookmarks, feeds and history entries.
- Added HTTP request method OPTIONS.
- Added an option to exit to a no-content page after encountering a network or security error.
This is controlled with the preference browser.escape_to_blank -- when set to true, "Get me out of here" buttons will load a blank page instead of the browser's home page.
- Added experimental Brotli accept-encoding (alternative to gzip/deflate compressed http data transfer). Disabled by default for now because it causes issues.
- Improved the handling of several CSS selectors.
- Changed session storage to remember form data for https sites by default.
- Added (yet another) trap prevention method to onbeforeunload events.
- Fixed privacy preferences not correctly resetting all options when choosing "Remember History"
- Fixed not being able to deselect loading bookmarks in the sidebar.
- Limited the display of user names and hosts in the http auth dialog to sane lengths, preventing over-sizing issues.
- Fixed a number of potential crash points.
- Improved the security of the Windows dll loader module.
- Reinstated "Open all in tabs" option on folders of live bookmarks (feeds).
- Made URL matching more liberal in selected text to make it easier to open stated addresses.
- Fixed an issue with Graphite font rendering where automatic font collision fixing didn't always work.
- Color Management for images is now disabled by default on Linux, due to many distributions not having a streamlined setup with sane default ICC profiles, which makes images look worse when color management is enabled.
- Tightened the update security check to prevent acceptance of update manifests that have been intercepted/replaced through https MitM attacks.
Please be aware that https-filtering antivirus may interfere with future application updates as a result.
- Updated the ANGLE library to broaden WebGL support and reduce the potential of crashes (due to junk being sent to the video driver).
- Added content-sniffing for WebP images (working around CloudFront's incorrect content-type headers).
- Fixed a problem with some H.264 media not playing (SPS NAL).
- Improved timer efficiency (switch back to lower precision when high precision is no longer needed, reducing CPU/power consumption).
- Improved context search on selected text/links.
- Updated address bar handling with Alt or Shift modifiers, so that "switch to tab" with a modifier can open copies of already-opened sites.
- Added a fix on Linux for starting the browser from Enlightenment.
- Privacy fix: Pale Moon will now clear QuotaManager storage (asm.js cache/IndexedDB data) as part of clearing Offline Website Data.
22.214.171.124 (2017-08-28)This is an out-of-band update for the portable version of the browser only (Windows).
This fixes a few issues in the portable shell regarding backups and settings.
To update, please follow the recommended update procedure listed on the Pale Moon Portable page.
27.4.2 (2017-08-22)This is a small update to address some security and stability issues.
- Fixed a number of crashes.
- Enabled the opt-in debugging feature to log SSL keys to a file in all builds.
- Added a fix for TLS 1.3 handshakes causing a browser hangup.
Handshakes should be considerably faster now and no longer stall in the wrong circumstances.
27.4.1 (2017-08-03)This is a small update to address some media and web compatibility issues.
- Updated NSPR to 4.15.
- Updated NSS to 3.31.1.
- Fixed a DoS issue using overly long Username in URL scheme (CVE-2017-7783)
- Fixed an issue where (cross domain) iframes could break scope (CVE-2017-7787)
- Fixed an issue in WindowsDllDetourPatcher (CVE-2017-7804)
- Fixed an issue with elliptic curve addition in mixed Jacobian-affine coordinates (CVE-2017-7781)
- Fixed a UAF in nsImageLoadingContent (CVE-2017-7784)
- Fixed a UAF in WebSockets (CVE-2017-7800)
- Fixed a heap-UAF in RelocateARIAOwnedIfNeeded (CVE-2017-7809) DiD (accessibility is disabled)
27.4.0 (2017-07-12)This is a major update to straighten out most of the media streaming issues, as well as adding the necessary enhancements, bugfixes and security fixes to the browser.
- Fixed an issue where media playback would not use hardware acceleration properly when using MSE.
This would cause high CPU usage and/or choppy playback for HD video on e.g. YouTube.
- Fixed ES6 iterator chains to be spec-compliant.
- Fixed ES6 vector append calls and some related memory leaks.
- Added a workaround to reduce the likelihood of a potential rare (timing-critical) crash.
- Completely re-worked the Media Source Extensions code to make it spec compliant, and asynchronous as per specification for MSE with MP4. This should fix playback problems on YouTube, Twitch, Vimeo and other sites that previously had some issues. A massive thank you to Travis for his tireless work on making this happen!
Please note that MSE+WebM (disabled by default) is not using this new code yet (planned for the next release), and as such there is a temporary set of things to keep in mind if you don't use default settings:
- If you have previously enabled MSE+WebM, this setting will be reset when you update to avoid conflicting settings with the updated MSE code.
- We've added an extra setting in Options to disable the updated MSE code (asynchronous use) in case you need to use WebM or are otherwise having issues with the updated code (please let us know in that case).
- Once again, the MSE+WebM and Asynchronous MSE use are currently mutually exclusive. You can have one or the other, not both, until we sort out the code for WebM. To enable MSE+WebM you will first have to disable Asynchronouse MSE in settings (otherwise the WebM setting will be greyed out and disabled).
- Added a control in options/preferences for HSTS and HPKP usage.
- Changed HTML bookmark exports to write CRLF line endings to the file on Windows.
- Leveraged multi-core rendering for libVPX (VP8/VP9 WebM decoding).
- Fixed some issues accessing DeviantArt (useragent-sniffing).
- Aligned CSS text-align with the spec.
- Added a recovery module for browser initialization issues (e.g. when using a wrong language pack).
- Fixed spurious console errors for XHR requests with certain http response codes.
- Enabled v-sync aligned refresh for a smoother scrolling experience.
- Removed support for CSS XP-theme media queries.
- Improved console error reporting.
- Fixed resetting toolbars and controls from the safe mode dialog.
- Fixed bookmark recovery option from the safe mode dialog.
- Fixed innerText getters for display:none elements.
- Fixed a GL buffer crash that might occur with certain combinations of drivers and hardware.
- Added some more details to about:support.
- Fixed a potential crash when the last audio device is removed during playback.
- Fixed a crash on about:support when windowless browsers are created.
- Updated <select> elements to blank if the actively set value doesn't match any of the options.
- Updated the interpretation of 2-digit years in date formats to match other browsers:
0-49 = 2000-2049, 50-99 = 1950-1999.
- Added "q" units to CSS (quarter of a millimeter).
- Added .origin property to blobs.
- Fixed several minor layout issues.
- Fixed disabled HTML elements not producing the proper JS events.
- Implemented web content handler blacklist according to the spec, allowing more than feeds to be registered.
- Fixed a spec compliance issue with execCommand() on HTML elements.
- Fixed a problem with table borders being drawn uneven or being omitted when zooming the page.
- Added devtools "filter URLs" option in the network panel.
- Added visual sorting options to the Network inspector.
- Added importing of login data from Chrome profiles on Windows (Chrome has to be closed first).
- Added importing of tags from bookmark export files (HTML format).
- Updated usage of SourceMap headers with the updated spec (SourceMap header, keeping X-SourceMap as a fallback).
- Fixed several cases of wrongly-used negations in JS modules.
- Added the auxclick mouse event.
- Added a control to not autoplay video unless it is in view (media.block-play-until-visible).
- Updated the Graphite font library to 1.3.10.
- Updated how image and media elements respond to window size changes (responsive design).
- Added parsing and use of rotation meta data in video.
- Fixed several crashes in a number of modules.
- Fixed performance regression for scaling large vector images (e.g. MSIE Chalkboard test) \o/
- Fixed some issues with notification icons.
- Fixed some internal errors with live bookmarks.
- Updated SQLite to 3.19.3.
- Fixed several reported issues with devtools (cli-cookies, cli help, copying cURL, inspecting SVGs, element size calculations, etc.)
- Fixed an issue where a server response was allowed to override add-ons' specified version ranges even for add-ons that have strict compatibility (e.g. themes, language packs).
- Removed preloading of HPKP hosts and enabled HPKP header enforcement.
- Added support for TLS 1.3, the up-next secure connection protocol.
- Fixed an issue with TLS 1.3 not supporting renegotiation by design.
- Relaxed some restrictions for CSP to temporarily work around web compatibility issues with the CSP-3 deprecated `child-src` directive.
- Updated NSS to 126.96.36.199-PM to address some security issues.
- Updated the installer selfextractor module to address unsafe loading of libraries.
- Changed the way certain resources are included to reduce effectiveness of some common fingerprinting techniques. (e.g. browserleaks.com)
- Fixed a regression in the display of security information in the page info dialog for insecure content.
- Fixed two potential issues with allocating memory for video. DiD
- Fixed a potential issue with the network prediction algorithm. DiD
- Restricted the use of Aspirational scripts in IDNs to prevent domain spoofing, in anticipation of the UAX#31 update making this official.
- Prevented a Mac font specific issue that could be abused for domain spoofing (CVE-2017-7763)
- Fixed several potentially exploitable crashes. (CVE-2017-7751) (CVE-2017-7757) and some that do not have a CVE designation.