Portable Pale Moon full changelog

Fixed a regression in 34.2.1 that would cause crashes to desktop when using certain extensions or visiting certain websites.
Fixed potential security issues with audio channel mixing, MP3 decoding (DiD), international text display, DOM workers (DiD), reading of files (DiD), and the ANGLE graphics library.

Changes/fixes:
Fixed a regression leading to cursive languages (where multiple characters combine) not being rendered correctly (e.g. Arabic).
Updated our cookie magic prefix handling, adding __Http- and __Host-Http- magic prefixes and aligning our implementation with RFC 6265bis.
Updated our Brotli library to 1.2.0+ (1.2.0 with additional fixes).
Updated NSS to 3.90.10.0 (UXP). For clarity, the version now carries the (UXP) label to distinguish this fork (which has additional mitigations) from the 3.90 branch of NSS maintained by Mozilla.
A large audit of security issues was performed. Many security issues were addressed, including potential crash scenarios and code correctness issues.
As a summary: 50 potential vulnerabilities were found applicable and fixed, 20 issues had DiD code changes applied, and 4 were already mitigated by us before being reported.
Of the reported vulnerabilities, 270 were not applicable to our code (with the vast majority pertaining to e10s/multi-process browser architecture) and 6 low-impact ones were marked for further investigation at a later time.

New features:
Implemented ES2018 Proxy ownKeys duplicate-key invariant.
Implemented ES2022 Error.cause property.
Implemented support for oklab and oklch color spaces in CSS.
Implemented ES2024 object.GroupBy.
Implemented the remainder of the ES2023 Change Array by Copy proposal (toSpliced(), with(), and TypedArray versions of toReversed(), toSorted() and with()).
Implemented AudioNode constructors.
Implemented support for nested CSS grammar.
Implemented the window.MathMLElement global.
Changes/fixes:
Fixed a crash related to WeakRef use.
Fixed stack exhaustion crashes as a result of top-level await in modules.
Updated our expat parser library to 2.7.4, fixing various issues.
Updated url.CanParse() to allow custom schemes.
Updated document.currentScript to align with the currently used spec.
Fixed a crash due to infinite recursion.
Fixed a crash on MacOS due to WebGL attribute arrays.
Fixed a crash related to pointer @media queries in CSS.
Fixed a crash related to the spellchecker when handling input fields in Shadow DOM.
Future-proofed whitespace handling in ParseDate in light of Unicode variable whitespace use.
Removed irrelevant plugin preferences when plugin support isn't built into the browser (non-standard builds/forks).
Improved support for the mimalloc memory allocator.
Improved support for LoongArch CPUs.
Added special handling for certain MacOS system fonts.
Removed leftover code for unsupported Itanium, 32-bit Sparc and other old architectures.
Added a workaround for CloudFlare image resizing, since it requires more opaque URL handling to function.
This workaround is controlled with the new preference network.url.cloudflare_image_resizing.enabled (default true). See implementation notes.
Security issues addressed: CVE-2026-4707 (DiD), CVE-2026-4690 (DiD), CVE-2026-4727 (DiD), and others without a CVE designation.
A note that Mozilla-relevant security issues CVE-2025-59375 and CVE-2026-4726 had already been addressed in the browser before this release.
Impl

New features:
Re-landed Xoroshiro128++ JavaScript PRNG to make it more robust while keeping high performance.
This was previously backed out due to intermittent issues and crashes.
Implemented JavaScript SubmitEvent support for HTML forms.
Implemented JavaScript requestSubmit() for HTML forms.
Implemented JavaScript toSorted().
Implemented JavaScript toReversed().
Implemented top-level await support for JavaScript modules. See implementation notes.
Implemented pointer and hover CSS media queries.
Enabled hardware-accelerated decoding for VP9 videos (where possible).
Changes/fixes:
Re-landed our expat library update, with fixes for large attribute parsing.
Updated the JPEG-XL library to 0.11.2 to pick up security and performance fixes, and applied a spot-fix for big-endian hardware.
Updated libtheora to 1.2.0.
Updated libvpx to 1.16.0 with various fixes to retain compatibility with older MacOS and PowerPC platforms.
Pale Moon, from this version forward, allows unencrypted websocket connections to localhost addresses even when the calling document was served encrypted.
Fixed an issue in the new Cascade Layers implementation causing problems with UI elements and extensions.
Fixed several issues with the new ICU library implementation in UXP:
Fixed an issue where it was returning unexpected Unicode spaces in date strings instead of standard space characters, causing problems with web scripting.
Fixed an issue with plural forms for Shuar, Welsh and several Slavic languages.
Fixed an issue with letter dots in Lithuanian.
Fixed an issue with word-wrapping in Tibetan.
Fixed an intermittent browser crash related to removing cached image data, and improved image data cache handling as a whole.
Further improved compatibility with Mac on PowerPC hardware.
Restored support for building on 32-bit MacOS 10.6.
Applied miscellaneous fixes for building on MacOS 10.5 (Leopard) and 10.6 (Snow Leopard).
Fixed run-time issues on FreeBSD 15.*.
Fixed an issue with applying image filters on

This is a minor release to address some critical issues in the new milestone.
Changes/fixes:
Backed out the expat library update for causing memory inflation and browser hang issues on XUL/XML and SVG files with particularly large attributes.
Backed out the change of the Javascript PRNG for causing intermittent issues and crashes on 32-bit platforms.
Both of these issues are being investigated and can hopefully re-land with the next development release.

This is a new milestone release! There are many changes in this milestone; the most important ones are highlighted here.
New features:
Our default theme on Windows received a refresh and update. It should integrate better with Windows 11 now, and be more responsive to dark accent colors, among other things.
Implemented WeakRef. See implementation notes.
Implemented URL.canParse().
Implemented the inset-block and inset-inline CSS shorthands.
Added a preference (privacy.forgetaboutsite.clearPasswords) to control clearing of passwords when using "forget about this site" in the permissions manager, and disabled clearing of passwords by default, since it was considered unexpected behavior by the community.
Changed our JavaScript PRNG to Xoroshiro128++ to make it more robust while keeping high performance.
Important updates and fixes:
Re-landed CSS Cascade Layers support after the previous back-out.
Re-landed CSS color-mix support after the previous back-out. RGB and HSL color spaces only, like previous.
Implemented viewport overflow propagation logic. See implementation notes.
Unprefixed CSS -moz-appearance; Pale Moon now accepts the unprefixed CSS appearance keyword. For compatibility, -moz-appearance and -webkit-appearance (if enabled) have been retained, although the long-term plan is to eventually remove the -moz prefixed one, so if you are an extension or theme developer, please consider switching your CSS to use appearance without a prefix.
Fixed an intermittent but fairly prominent crash-to-desktop due to JavaScript garbage collection on certain modern sites.
Fixed a crash on sites with certain types of CSP handling.
Fixed a crash in WASM.
Updated NSS to 3.90.9 (custom) to pick up several security and stability fixes.
Updated ICU to v78.1. This is a major uplift for our internationalization subsystem, allowing further future developments for the Internationalization API.
Updated Emoji support to Unicode 17.
Updated our expat parser code to a more recent