Pale Moon - Release Notes for Archived Versions
Main
Pale Moon Homepage
Pale Moon Start Page
Pale Moon Add-ons Site
Pale Moon Developer Site
Information
Release notes
The project >
General information
Rumor Control
Project history
Roadmap
Pale Moon branding
Technical details
Screenshots
Bounty Program
Donations and Support
Redistribution
Pale Moon >
Pale Moon
Pale Moon Portable
Pale Moon language packs
Other >
3rd Party Builds
Archived versions
[DEV]
Source code
Add-ons
Extensions
Themes
Search Plugins
Language Packs
More...
Tools
Pale Moon Sync service
Profile Backup tool
Pale Moon Commander
Pale Moon Tab Groups
Flash Protected Mode tool
Help
Forum
F.A.Q.
Contact
Contact
General information
These release notes are kept for
historical
reference only
. Versions on this page have been superseded by
newer versions of Pale Moon and we do not provide support for them.
DiD
This means that
a fix is "Defense-in-Depth": It is a fix that does not apply to a
(potentially) actively exploitable vulnerability in Pale Moon, but
prevents future vulnerabilities caused by the same code, e.g. when
surrounding code changes, exposing the problem, or when new attack
vectors are discovered.
Release notes for version 33 releases
v33.7.2 (2025-06-03)
This is a security release.
Changes/fixes:
Addressed PWN2OWN-2025-1 (out of bounds read or write in
promise
DiD
Addressed PWN2OWN-2025-2 (out of bounds read or write when
using the
ExtractLinearSum
optimization)
DiD
Fixed potential unexpected behavior in embedded protobuf
code.
DiD
Fixed an issue with potentially uninitialized contrast
values when enhanced device contrast values can not be read from the
O.S.
DiD
Fixed potential sanitization issues with devtools' "Copy as
curl" feature.
It should be noted that we do not currently offer cross-platform "curl"
features, so this is another
DiD
for this release.
v33.7.1 (2025-05-06)
This is bugfix and security release.
Changes/fixes:
Fixed a crash dealing with
BigInt
in
Javascript compilation.
Updated NSS to 3.90.7 to pick up a security fix.
Updated devtools to escape some more characters in "Copy as
cURL" on POSIX operating systems.
DiD
v33.7.0 (2025-04-08)
This is a development, bugfix and security release.
Changes/fixes:
Implemented CSS two-location color stop logic. This allows
for two-location color stops (`
color x% y%
`) in gradients,
which is shorthand for `
color x%, color y%
` where both
colors are equal.
Our minimum GCC version requirement to build is now 9.1.
Improved channel handling when CSP blocks network redirects.
Implemented several fixes for CORS preflight requests.
Added explicit whitelisting from CSP content loading of
javascript:
scheme URLs.
Updated the ffvpx library to 6.0.1, this time preventing
video color range regressions. An update to 6.0 was previously backed
out in 33.5.0.
Updated the JPEG-XL library to 0.11.1 to pick up several
fixes and improve decoding compatibility of jxl files.
Updated the SQLite library to 3.49.1.
Fixed a spec compliance issue with DOMRect and DOMQuad
returning 0 if NaN was present. We now return NaN in that case, per
spec.
Fixed a spec compliance issue with NTLM authentication. We
now compute Channel Binding Hashes using the certificate signature's
hash algorithm, per spec.
Note that particularly weak algorithms are not used and SHA256 will be
used as a minimum, instead, in those cases.
Fixed a buildability issue on Mac with XCode 16.3.
Added some additional safety checking to
SharedArrayBuffers
Added some additional safety checking to XSLT compilation
and transformation.
Windows only: Added a preference
widget.windows.follow_shortcuts_on_file_open
to control how Windows File Open dialogs handle shortcut links. See
implementation notes.
Security bugs addressed: CVE-2025-3028 (
DiD
) and CVE-2025-3033 (see
implementation notes).
Implementation notes:
Windows only
This version introduces a new (numeric) preference to control how the
"Open File" dialogs handle shortcut links in the file system.
A low-severity security issue (CVE-2025-3033) was found that in
some
specific circumstances could
allow a malicious actor to convince a user to upload an unintended file
from their file system with a specially-crafted shortcut file. To
mitigate this, a special flag can be passed to File Open dialogs which
prevents the dialogs from parsing shortcut links and navigating to
target files and folders based on the shortcut file contents. This can
be controlled with the newly-added preference. Since this flag, when
set, also prevents users from navigating "through" shortcuts to folders
(from e.g. the desktop) and would instead open/attach/upload the
shortcut file itself, this would be disruptive to many users'
workflows. Considering the major usability drawback and the
low-severity nature of the security issue (which would require
considerable
social engineering to
pull off), Pale Moon, at least for the time being or until a better
solution is found, will continue allowing the following of shortcuts
and navigating through them to target folders and files in File Open
dialogs. If you are overly cautious, you may want to set this
preference to the value
which always prevents shortcut
parsing and following. For everyone else, just a warning to please stay
safe and never follow strange sequences of instructions from strangers
that you don't exactly know what they do (and never take their
explanations at face value).
v33.6.1 (2025-03-11)
This is a security, bugfix and stability update.
Changes/fixes:
Simplified some WASM code generation in the Ion JIT
compiler.
Fixed a crash in loading external resource maps.
Disabled potentially unsafe attempts at recovering JIT
operations.
Fixed some minor linking issues in
about:rights
Updated the embedded emoji font to fix incorrect display of
some of the wheelchair emoji.
Security issues addressed: CVE-2025-1934 (
DiD
).
v33.6.0.1 (2025-02-20)
This is an extra update to mitigate as much of the CloudFlare issues
leading to browser hangs and memory issues as possible on the web
browser side. Unfortunately CloudFlare still hasn't pulled their
scripts that seem to
deliberately
cause these issues on Pale Moon and other independent browsers they
seem to want to keep from the websites they "protect". If you are
interested in learning more, check out the
forum thread
where we're discussing this issue.
Once again, please consider reporting any and all
occurrences of failing or looping CloudFlare checks on websites to
CloudFlare as well as the owners of affected websites (you may have to
temporarily use a Chromium-based browser to do this).
Changes/fixes:
Disabled CSP reporting temporarily to work around memory
issues caused by CloudFlare's scripting. While CSP reporting is
important to inform webmasters of issues with their content security
policies, not having the browser eat up all memory is more critical. We
do intend to re-enable this when the issue is resolved on CloudFlare's
side.
Improved CSS grid performance to avoid exponential
calculations and reflows caused by CloudFlare's scripting. This wasn't
a bug, per se, but could easily lock up with bad scripting if called
recursively.
Added a few other small fixes that are tangentially related
to the code changes made.
v33.6.0 (2025-02-07)
This is a development, bugfix and security release.
Due to the fact that CloudFlare has been causing application crashes
that impacts many users, this release has been pulled forward a few
days to address these crashes with priority (should be fixed in this
release).
Please note that at the time of publication of this browser version and
release notes, even though crashes have been fixed, CloudFlare is
denying UXP-based browsers as well as several other independent/smaller
browsers access to many websites by way of their malfunctioning
"security check" or captcha, with
no
priority given to actually fix it despite it being denial of service
for users of affected browsers. Please consider reporting any and all
occurrences of failing or looping CloudFlare checks on websites to
CloudFlare as well as the owners of affected websites (you may have to
temporarily use a Chromium-based browser to do this).
Changes/fixes:
Implemented a content sniffer for ADTS and raw AAC audio.
Implemented
AbortSignal.abort()
and stub
AbortSignal.timeout()
Unprefixed the
:modal
CSS pseudo-class and
exposed it to content.
Improved efficiency and performance of the Cycle Collector.
Added a check for explicit expectance of a percentage value
in CSS HSL for the S and L components.
Updated the cookie storage database to no longer use
BaseDomain. See implementation notes.
Updated CSS grid handling to no longer apply auto
min-sizing when flex max-sizing (browser parity).
Updated the root certificates in the internal trust store.
Updated the Public Suffix List (eTLD) in the browser.
Removed no longer specced URL
Constructor(DOMString
url, URL base)
Restored unofficial branding to what it was before ("New
Moon" instead of "Browser").
Changed the default Firefox Compatibility user-agent
version to 115.0.
Fixed an issue where cloned


element, including modal handling and custom backdrops.
Implemented coarser, user-configurable granularity for the
canvas poisoning anti-fingerprinting measure. See implementation notes.
Implemented new CSS viewport units
svw
svh
svmin
svmax
lvw
lvh
lvmin
lvmax
dvw
dvh
dvmin
and
dvmax
Implemented new CSS logical viewport units
vb
vi
svb
svi
lvb
lvi
dvb
and
dvi
Changes/fixes:
Removed the archaic and wholly outdated FIPS security
module code.
Removed the archaic DBM support code for storing of
passwords in DBM format files.
Removed the
-moz
prefix from
-moz-fit-content
aligning with the current CSS standard
fit-content
value.
Updated our build system by adopting parts of the old
autoconf 2.13 as maintained code. autoconf 2.13 is no longer a build
requirement. If you build from source, you may want to review your
dependencies with this change.
Fixed issues when building with GCC 14.* and Clang 16.*.
Fixed issues with emoji sequence clusters causing incorrect
rendering of emoji glyphs in some cases.
Made some arguments to the legacy
XPathEvaluator/XPathExpression interfaces optional for web
compatibility.
Fixed a crash when reporting JavaScript module exporting
errors.
Updated checking of special cookie prefixes to be
case-insensitive in accordance with the current RFC 6265 (bis-11+).
Fixed issues with external protocol handlers.
Fixed an issue where autocomplete pop-ups would stay open
in some circumstances.
Fixed an issue with potentially bad file names being
entered by the user to "Save As...".
Fixed several crashes and race conditions.
Security issues addressed: CVE-2024-5699, CVE-2024-5702
DiD
, CVE-2024-5690,
CVE-2024-5698
DiD
CVE-2024-5688
DiD
CVE-2024-5692 and several other security issues (some more
DiD
) that do not have CVE
numbers assigned to them.
Implementation notes:
While we have had canvas data poisoning as an option for a
very long time (we introduced it as a concept), it was pointed out that
having a fast rotation on the poisoning leading to new and unique
canvas hashes every time a user would navigate was a red flag to
trackers that poisoning is being employed, mitigating its intent. A
different implementation of canvas poisoning was created that will
still provide human-imperceptible data manipulation of canvases leading
to bogus hashes for trackers, but now in such a way that this hash will
not change for a courser, but variable time frame. This time frame
defaults to 5 minutes in this release, which may be tweaked in the
future if necessary, but is also entirely user-configurable between 1
second and 8 hours with the preference
canvas.poisondata.interval
(indicated in seconds).
v33.1.1 (2024-05-28)
This is a minor security and stability update.
Changes/fixes:
Made the nonce length for http digest auth configurable.
Fixed various potential issues with font loading, parsing
and handling.
Cleaned up error reporting for workers and normalized error
messages.
Security issues addressed: CVE-2024-4772
DiD
, CVE-2024-4771,
CVE-2024-4769 and CVE-2024-4770.
We've switched back to an older toolchain (17.3) for
compiling 32-bit Windows binaries (again) to hopefully address some of
the intermittent stability issues people continued to have on later
Microsoft compiler versions when running on older hardware.
v33.1.0 (2024-04-23)
This is a development, stability and security release.
New features:
Implemented support for single-use
rel=preload>
meta tag. This implementation allows use of it
without specifying a second

meta
tag to actually load the linked document which was originally intended
for this tag (to hint to a browser it should pre-load the document for
fast painting).
Implemented CSP v3 keywords
script-src-elem
script-src-attr
style-src-elem
and
style-src-attr
Enabled the use of html5's

by
default. While this is not yet a complete implementation, use of it in
the wild dictated we enable this early. The implementation should
functionally suffice for usage seen so far.
Added support for Emoji 15.1.
Implemented
webkitURL
legacy window alias for
URL for web compatibility.
Implemented CSS shorthands
margin-block
margin-inline
padding-block
and
padding-inline
Added support for querying CPU capabilities (SSE2/AVX/AVX2)
to the Navigator interface. For privacy reasons this is not exposed to
the web, but can be used by extensions.
Changes/fixes:
Fixed broken mousewheel scrolling if building with
--disable-npapi
Fixed a minor issue with XUL tree display in some
circumstances.
Dev: Aligned canvas
Path2D.addPath
with the
updated spec. It now supports
DOMMatrix
as opposed to
SVGMatrix
Removed Stylo (Gecko Rust style system) leftovers from the
source tree.
Fixed a few potential emoji display issues.
Fixed some issues with workers.
Fixed an issue with ctrl+c copying in devtools.
Fixed crashes when run under WINE because of its lack of
support for
IDXGIKeyedMutex
Fixed a crash when dealing with a specific (unmaintained)
extension.
Added
.xrm-ms
files to the executable warning
list on Windows.
Added sanity checks on http/2 header sizes.
Fixed a potential issue in the JavaScript JIT compiler.
Pulled a few fixes from upstream for the OpenType Sanitizer.
Added a fix to avoid a potential issue when assigning a
media data buffer.
Security issues addressed: CVE-2024-3863, CVE-2024-3302,
CVE-2024-3857
DiD
CVE-2024-3859 and CVE-2024-3861
DiD
v33.0.2 (2024-03-26)
This is a minor security and stability release.
Changes/fixes:
Fixed an issue with attributes on duplicate html tags.
Aligned the behavior of internal pointer structures to be
more
uniform.
DiD
Security issue addressed: CVE-2024-2610
v33.0.1 (2024-02-27)
This is a bugfix and security update.
Changes/fixes:
Removed site-specific override for Amazon.com due to
breakage.
Fixed script timeout values that were inadvertently
overridden in branding.
Fixed an issue where empty MIME type registrations would
break some parts of the UI.
(Linux only) Pasting URLs to content now by default does
not navigate to that URL.
If content-paste-navigation is enabled (via
middlemouse.contentLoadURL
),
navigation is now restricted to pasting to active body type elements
(to prevent unwanted navigation when pasting URLs to input boxes, for
example).
Fixed a problem with JS modules preventing
ExportEntries
from working.
(Linux only) Fixed a build issue when building with a
system-supplied cairo library (unsupported).
Fixed an issue where workers could lock up the browser with
SetInterval
with an out-of-bounds (too small)
value. This is now clamped to 4ms matching the HTML spec.
Fixed a few usability issues with the built-in developer
tools.
Fixed a potential crash in web workers.
Fixed a potential overflow issue in image maps.
Fixed a potential security issue with multi-part/mixed
content (CVE-2024-1551).
(from this point forward we will no longer list UXP Mozilla security
patch summaries as they are mostly irrelevant)
v33.0.0 (2024-01-30)
This is a new milestone release. It involves over 250 commits, of which
the most important ones are highlighted here.
New features:
Implemented a restricted version of the asynchronous
clipboard API (navigator.clipboard). This API is restricted to writing
only for obvious security considerations. It supports both plaintext
and the standard DataTransfer methods. We did not implement the
reinvented wheel concept of ClipboardItem objects.
Implemented support for SHA-2 (SHA-256/SHA-512/etc.)
signatures for OCSP stapled responses.
Implemented an option (Found in Preferences -> Content
-> Media tab (new this version)) to restrict DOM full-screen mode to
the existing browser window.
Implemented several options in a new preferences tab
(Preference -> Privacy -> Tracking) to allow users to more easily
control several privacy-impacting features, namely poisoning of canvas
data (to prevent fingerprinting), and enabling of Performance observers
(a developer feature) that some websites rely on for their operation.
Implemented
PromiseRejectionEvent
. Although
this is rarely actually used, some common JS libraries (you know who
you are!) use it as a feature level canary and start loading (broken!)
Promise
shims if it is not found, causing compatibility issues and broken
websites due to the shims.
Fixes:
Aligned microtasks and Promises scheduling with the current
spec and expected behavior.
We now no longer send
click
events to top
levels of the document hierarchy when using non-primary buttons (use
auxclick
instead, to capture these events).
Greatly improved the performance of box shadows.
Greatly improved the performance of file/data uploads over
HTTP/2 (most of the secure websites out there).
Fixed several issues related to focus and content selection.
Fixed issues with the use of
focus-within
caused by unexpected processing of DOM events.
Fixed an issue with CSP not behaving as-expected when using
importScripts()
and fixed a number of
additional CSP-related issues.
Fixed a web compatibility issue with CORS preflights not
sending the original request's referrer policy or referrer header.
Fixed a spec compliance issue with
StructuredClone
Fixed a crash due to clamping code introduced for
SetInterval
and
SetTimeout
timers.
Fixed crashes when dynamic imports are canceled (e.g. by
navigation).
Other changes:
Changed

to now have
its
.files
property be writable following a spec change
and recommendation.
We are now requiring and building against the C++17
language standard.
Updated the in-tree ffvpx lib to 6.0.
Added a preference to allow users to completely disable
reporting of CSP errors to webmasters. Using this is strongly
discouraged as it will provide essential troubleshooting information to
webmasters setting up CSP, and does not pose a privacy issue, but for
those who really want it, it can now be fully disabled. The preference
is
security.csp.reporting.enabled
Updated the IntersectionObserver interface to now also
accept documents for the observer root instead of only HTML elements.
Cleaned up various bits of code surrounding GMP, memory
allocation, system libraries, vestigial Android code, freetype2 and
developer tools.
Improved efficiency of handling D3D textures.
Added initial and experimental Mac PowerPC and Big Endian
support.
Changed the behavior of hung scripts. We now automatically
terminate them instead of presenting the user with a dialog box (which
may or may not show in a reasonable time if the browser is too busy
trying to process the hung script). If you prefer the old behavior,
uncheck the box "Automatically stop non-responsive scripts" in
Preferences -> Content -> General
Security issues addressed: CVE-2024-0746, CVE-2024-0741,
CVE-2024-0743
DiD
CVE-2024-0750
DiD
, and
CVE-2024-0753.
UXP Mozilla security patch summary: 3 fixed, 2 DiD, 12 not
applicable.
Release notes for version 32 releases
v32.5.2 (2023-12-22)
This is a bugfix and security update.
Merry Christmas and Happy Holidays to all!
Changes/fixes:
Removed the standard Twitter/X user-agent override because
they decided to block us on it.
Added preferences for the user to control whether or not
the tab page title should be included in the window title or not. In
Private Browsing mode, the default is now to not show the title in the
window. This was done to avoid potential leakage to system logs (e.g.
GNOME shell logs or Windows event logs) of websites visited through the
recorded window title. The new preferences are
privacy.exposeContentTitleInWindow
and
privacy.exposeContentTitleInWindow.pbm
for normal
mode and Private Browsing mode, respectively.
Fixed several crashes in DOM and relating to dynamic
JavaScript module imports.
Removed a restriction on Fetch preflight redirects,
following a spec update.
Improved the handling of web workers if they get aborted
mid-action.
Security issues addressed: CVE-2023-6863, CVE-2023-6858 and
several others that do not have a CVE number.
UXP Mozilla security patch summary: 4 fixed, 2 DiD, 1
rejected (which was DiD at best), 1 postponed (low risk), 22
not
applicable.
v32.5.1 (2023-11-28)
This is a minor development and security update.
Important:
as of this
version, our beta FreeBSD binaries require at least FreeBSD 13.
Changes/fixes:
Restricted protocol fallback for TLS. Pale Moon no longer
(by default) allows TLS 1.3 to fall back to earlier protocol versions
during the initial handshake.
Reverted the addition of
browser.bookmarks.openInTabClosesMenu
due to behavioral issues with menus.
If you desire the intended behavior, please use an extension instead.
We no longer support the data: protocol inside SVG's
statements.
Enabled more validation/error checking for WebGL on Windows
to prevent potential crashes.
Improved secure context checking for iframes.
Fixed the handling of relative paths in URLs starting with
multiple forward slashes.
Security issues addressed: CVE-2023-6204, CVE-2023-6210,
CVE-2023-6209 and CVE-2023-6205
DiD
UXP Mozilla security patch summary: 3 fixed, 1 DiD, 14
not
applicable.
v32.5.0 (2023-10-31)
This is a major development and security update. And a Happy Halloween
to everyone who celebrates! 🎃👻🦇
Changes/fixes:
Added an initial implementation of the ReadableStreams API,
improving web compatibility with sites that apparently use this API in
utilitarian fashion.
Added support for transparency in WebM videos for the edge
case of using