Pale Moon full changelog

Fixed a regression in 34.2.1 that would cause crashes to desktop when using certain extensions or visiting certain websites.
Fixed potential security issues with audio channel mixing, MP3 decoding (DiD), international text display, DOM workers (DiD), reading of files (DiD), and the ANGLE graphics library.

Changes/fixes:
Fixed a regression leading to cursive languages (where multiple characters combine) not being rendered correctly (e.g. Arabic).
Updated our cookie magic prefix handling, adding __Http- and __Host-Http- magic prefixes and aligning our implementation with RFC 6265bis.
Updated our Brotli library to 1.2.0+ (1.2.0 with additional fixes).
Updated NSS to 3.90.10.0 (UXP). For clarity, the version now carries the (UXP) label to distinguish this fork (which has additional mitigations) from the 3.90 branch of NSS maintained by Mozilla.
A large audit of security issues was performed. Many security issues were addressed, including potential crash scenarios and code correctness issues.
As a summary: 50 potential vulnerabilities were found applicable and fixed, 20 issues had DiD code changes applied, and 4 were already mitigated by us before being reported.
Of the reported vulnerabilities, 270 were not applicable to our code (with the vast majority pertaining to e10s/multi-process browser architecture) and 6 low-impact ones were marked for further investigation at a later time.

New features:
Implemented ES2018 Proxy ownKeys duplicate-key invariant.
Implemented ES2022 Error.cause property.
Implemented support for oklab and oklch color spaces in CSS.
Implemented ES2024 object.GroupBy.
Implemented the remainder of the ES2023 Change Array by Copy proposal (toSpliced(), with(), and TypedArray versions of toReversed(), toSorted() and with()).
Implemented AudioNode constructors.
Implemented support for nested CSS grammar.
Implemented the window.MathMLElement global.
Changes/fixes:
Fixed a crash related to WeakRef use.
Fixed stack exhaustion crashes as a result of top-level await in modules.
Updated our expat parser library to 2.7.4, fixing various issues.
Updated url.CanParse() to allow custom schemes.
Updated document.currentScript to align with the currently used spec.
Fixed a crash due to infinite recursion.
Fixed a crash on MacOS due to WebGL attribute arrays.
Fixed a crash related to pointer @media queries in CSS.
Fixed a crash related to the spellchecker when handling input fields in Shadow DOM.
Future-proofed whitespace handling in ParseDate in light of Unicode variable whitespace use.
Removed irrelevant plugin preferences when plugin support isn't built into the browser (non-standard builds/forks).
Improved support for the mimalloc memory allocator.
Improved support for LoongArch CPUs.
Added special handling for certain MacOS system fonts.
Removed leftover code for unsupported Itanium, 32-bit Sparc and other old architectures.
Added a workaround for CloudFlare image resizing, since it requires more opaque URL handling to function.
This workaround is controlled with the new preference network.url.cloudflare_image_resizing.enabled (default true). See implementation notes.
Security issues addressed: CVE-2026-4707 (DiD), CVE-2026-4690 (DiD), CVE-2026-4727 (DiD), and others without a CVE designation.
A note that Mozilla-relevant security issues CVE-2025-59375 and CVE-2026-4726 had already been addressed in the browser before this release.
Impl

New features:
Re-landed Xoroshiro128++ JavaScript PRNG to make it more robust while keeping high performance.
This was previously backed out due to intermittent issues and crashes.
Implemented JavaScript SubmitEvent support for HTML forms.
Implemented JavaScript requestSubmit() for HTML forms.
Implemented JavaScript toSorted().
Implemented JavaScript toReversed().
Implemented top-level await support for JavaScript modules. See implementation notes.
Implemented pointer and hover CSS media queries.
Enabled hardware-accelerated decoding for VP9 videos (where possible).
Changes/fixes:
Re-landed our expat library update, with fixes for large attribute parsing.
Updated the JPEG-XL library to 0.11.2 to pick up security and performance fixes, and applied a spot-fix for big-endian hardware.
Updated libtheora to 1.2.0.
Updated libvpx to 1.16.0 with various fixes to retain compatibility with older MacOS and PowerPC platforms.
Pale Moon, from this version forward, allows unencrypted websocket connections to localhost addresses even when the calling document was served encrypted.
Fixed an issue in the new Cascade Layers implementation causing problems with UI elements and extensions.
Fixed several issues with the new ICU library implementation in UXP:
Fixed an issue where it was returning unexpected Unicode spaces in date strings instead of standard space characters, causing problems with web scripting.
Fixed an issue with plural forms for Shuar, Welsh and several Slavic languages.
Fixed an issue with letter dots in Lithuanian.
Fixed an issue with word-wrapping in Tibetan.
Fixed an intermittent browser crash related to removing cached image data, and improved image data cache handling as a whole.
Further improved compatibility with Mac on PowerPC hardware.
Restored support for building on 32-bit MacOS 10.6.
Applied miscellaneous fixes for building on MacOS 10.5 (Leopard) and 10.6 (Snow Leopard).
Fixed run-time issues on FreeBSD 15.*.
Fixed an issue with applying image filters on

This is a minor release to address some critical issues in the new milestone.
Changes/fixes:
Backed out the expat library update for causing memory inflation and browser hang issues on XUL/XML and SVG files with particularly large attributes.
Backed out the change of the Javascript PRNG for causing intermittent issues and crashes on 32-bit platforms.
Both of these issues are being investigated and can hopefully re-land with the next development release.

This is a new milestone release! There are many changes in this milestone; the most important ones are highlighted here.
New features:
Our default theme on Windows received a refresh and update. It should integrate better with Windows 11 now, and be more responsive to dark accent colors, among other things.
Implemented WeakRef. See implementation notes.
Implemented URL.canParse().
Implemented the inset-block and inset-inline CSS shorthands.
Added a preference (privacy.forgetaboutsite.clearPasswords) to control clearing of passwords when using "forget about this site" in the permissions manager, and disabled clearing of passwords by default, since it was considered unexpected behavior by the community.
Changed our JavaScript PRNG to Xoroshiro128++ to make it more robust while keeping high performance.
Important updates and fixes:
Re-landed CSS Cascade Layers support after the previous back-out.
Re-landed CSS color-mix support after the previous back-out. RGB and HSL color spaces only, like previous.
Implemented viewport overflow propagation logic. See implementation notes.
Unprefixed CSS -moz-appearance; Pale Moon now accepts the unprefixed CSS appearance keyword. For compatibility, -moz-appearance and -webkit-appearance (if enabled) have been retained, although the long-term plan is to eventually remove the -moz prefixed one, so if you are an extension or theme developer, please consider switching your CSS to use appearance without a prefix.
Fixed an intermittent but fairly prominent crash-to-desktop due to JavaScript garbage collection on certain modern sites.
Fixed a crash on sites with certain types of CSP handling.
Fixed a crash in WASM.
Updated NSS to 3.90.9 (custom) to pick up several security and stability fixes.
Updated ICU to v78.1. This is a major uplift for our internationalization subsystem, allowing further future developments for the Internationalization API.
Updated Emoji support to Unicode 17.
Updated our expat parser code to a more recent

Disabled CSP reporting temporarily to work around memory issues caused by CloudFlare's scripting. While CSP reporting is important to inform webmasters of issues with their content security policies, not having the browser eat up all memory is more critical. We do intend to re-enable this when the issue is resolved on CloudFlare's side.
Improved CSS grid performance to avoid exponential calculations and reflows caused by CloudFlare's scripting. This wasn't a bug, per se, but could easily lock up with bad scripting if called recursively.
Added a few other small fixes that are tangentially related to the code changes made.

Changes/fixes:
Implemented a content sniffer for ADTS and raw AAC audio.
Implemented AbortSignal.abort() and stub AbortSignal.timeout().
Unprefixed the :modal CSS pseudo-class and exposed it to content.
Improved efficiency and performance of the Cycle Collector.
Added a check for explicit expectance of a percentage value in CSS HSL for the S and L components.
Updated the cookie storage database to no longer use BaseDomain. See implementation notes.
Updated CSS grid handling to no longer apply auto min-sizing when flex max-sizing (browser parity).
Updated the root certificates in the internal trust store.
Updated the Public Suffix List (eTLD) in the browser.
Removed no longer specced URL Constructor(DOMString url, URL base).
Restored unofficial branding to what it was before ("New Moon" instead of "Browser").
Changed the default Firefox Compatibility user-agent version to 115.0.
Fixed an issue where cloned <audio> or <video> elements would not respect the original element's muted state.
Fixed a number of bugs and spec compliance issues in WebCrypto.
Fixed installer application naming issue causing failure to detect running application.
Fixed a crash when Interval handlers are present in scripts that are automatically terminated due to excessive runtime.
Fixed a crash in JS Structured Cloning when the input would be bogus (CloudFlare-triggered crash).
Fixed a crash in the XSLT stylesheet importing code.
Updated NSS to 3.90.6 (custom) to pick up several security fixes.
Security issues addressed: CVE-2025-1009.

Changes/fixes:
Implemented Regular Expression "match indices" (/d) feature.
Added a way to programmatically clear the DNS cache in the browser, and added a button to the UI for it in about:networking.
Updated handling of referrer policies to adhere to the updated spec.
CSS font variations keywords no longer throw an error. See implementation notes.
CSS border-radius will now also apply to element outlines.
Improved the display of amount of cached web content in preferences when cache is being cleared.
Improved the installer AVX check to skip on early versions of Windows 10 (which don't support it).
Updated NSS to 3.90.5 (unofficial) to pick up some security fixes.
Refreshed the built-in list of effective top-level domains.
Fixed several application crashes.
Reduced unnecessary debug/informative messages in release builds (WebGL and CSP).
Backed out building against ffmpeg 6.0 and ffvpx 6.0 for causing a video playback regression on full-range videos (levels 0-255).
Cleaned up a large amount of leftover Boot2Gecko code, simplifying code paths throughout the code base.
From this version forward we also publish language packs for Persian (Farsi), Hindi, Kannada and Vietnamese.
Security issues addressed: CVE-2024-11693 and CVE-2024-11704 (DiD).
Implementation notes:
The CSS font variations keywords (woff2-variations, truetype-variations, etc.) allow webmasters to indicate format hints for @font-face font resources so authors can provide alternative resources for browsers that don't support tech(variations). The intent of these hints is to provide an alternate font with variations in addition to regular fonts without. Unfortunately, some webmasters don't indicate a base font the variation font face would be an alternate for, which resulted in Pale Moon throwing an error on the only @font-face src entry provided, in turn having the web font not being loaded at all (because no valid entry was found), breaking website layout. From this version onwards, we parse th

Changes/fixes:
Added a processor check to the 64-bit installer for Windows to check for AVX.
Note: this check does not work on Window 7/8/8.1 and will allow installations on non-AVX processors there.
Note: if you are running Windows 10 before build 2004 (before 20H1), this check may fail on AVX-capable CPUs and prevent installation.
Improved handling of multipart/mixed documents. (CVE-2024-10461 and CVE-2016-2816) DiD
Addressed CVE-2024-10463.