Pale Moon - Release Notes

15 min read Original article ↗
General notes:
DiD This means that a fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

v34.0.0 (2026-01-20)

This is a new milestone release! There are many changes in this milestone; the most important ones are highlighted here.

New features:

  • Our default theme on Windows received a refresh and update. It should integrate better with Windows 11 now, and be more responsive to dark accent colors, among other things.
  • Implemented WeakRef. See implementation notes.
  • Implemented URL.canParse().
  • Implemented the inset-block and inset-inline CSS shorthands.
  • Added a preference (privacy.forgetaboutsite.clearPasswords) to control clearing of passwords when using "forget about this site" in the permissions manager, and disabled clearing of passwords by default, since it was considered unexpected behavior by the community.
  • Changed our JavaScript PRNG to Xoroshiro128++ to make it more robust while keeping high performance.
Important updates and fixes:
  • Re-landed CSS Cascade Layers support after the previous back-out.
  • Re-landed CSS color-mix support after the previous back-out. RGB and HSL color spaces only, like previous.
  • Implemented viewport overflow propagation logic. See implementation notes.
  • Unprefixed CSS -moz-appearance; Pale Moon now accepts the unprefixed CSS appearance keyword. For compatibility, -moz-appearance and -webkit-appearance (if enabled) have been retained, although the long-term plan is to eventually remove the -moz prefixed one, so if you are an extension or theme developer, please consider switching your CSS to use appearance without a prefix.
  • Fixed an intermittent but fairly prominent crash-to-desktop due to JavaScript garbage collection on certain modern sites.
  • Fixed a crash on sites with certain types of CSP handling.
  • Fixed a crash in WASM.
  • Updated NSS to 3.90.9 (custom) to pick up several security and stability fixes.
  • Updated ICU to v78.1. This is a major uplift for our internationalization subsystem, allowing further future developments for the Internationalization API.
  • Updated Emoji support to Unicode 17.
  • Updated our expat parser code to a more recent version (2.7.3), fixing various issues.
  • Improved handling and rendering of emoji clusters.
Other changes:
  • Added support for building on Sparc64 hardware.
  • Added support for building for NetBSD on Alpha.
  • Added basic support for building on Mac PowerPC (still a work in progress).
  • Added basic support for building on LoongArch64 hardware (龍芯 CPUs).
  • Added support for running on FreeBSD 15.
  • Removed automatic coloring of auto-filled login fields as it would interfere with various browser and system color schemes.
    If preferred, this can be reinstated by users with a userContent.css document or e.g. the Stylem extension by leveraging the :autofill CSS pseudo-class.
  • Restored support for in-process NPAPI plugins, allowing plugin use on systems where out-of-process is undesirable.
  • Improved JavaScript IonMonkey stability on ARM and Mac SoC hardware.
  • Linux GTK builds now always build with gio, and gconf support has been removed.
  • Security issues addressed: CVE-2025-13015, CVE-2026-0879 (DiD), CVE-2026-0880 (DiD), CVE-2026-0889 (DiD), CVE-2026-0883, CVE-2026-0886 (DiD), and several others without a CVE designation.
Implementation notes:
  • This milestone implements WeakRef in the platform in 2 modes, controlled by a new preference javascript.options.weakrefs. In the default mode (false), WeakRef does not allow page content to reach into the JavaScript engine to coerce garbage collection, while still offering the front-end API to web content (effectively creating a stub). The other mode (true) allows this coersion and gives potentially malicious web scripting some* control over the JavaScript garbage collector. It is not recommended to set this to true for general use. Only enable this if your situation is running trusted code and explicitly requires nudging the JavaScript engine to dereference objects. We resisted having this strongly discouraged and potentially dangerous API at all, but some sites started to use WeakRef unconditionally and breaking without the API front-end, so this compromise was implemented, leaving control in the hands of the user.
    * The spec only allows for code to hint/coerce and does not guarantee if or when dereferencing happens.
  • A number of sites (including some top Internet sites) have started using overflow-x: clip without overflow-y on full-document elements (document root/<html> or <body>). While doing this makes little to no logical sense, our strict implementation of clip (since 33.9.0, also see the implementation notes there) would, as a result, create unscrollable pages.There is some special logic for this (viewport overflow propagation) described in the relevant drafts which we have now implemented, updating our overflow: clip implementation to avoid the previously problematic strict behaviour in these particular cases.


v33.9.1 (2025-10-21)

This is a bugfix and security update.

Changes/fixes:

  • Temporarily backed out the implementation of CSS Cascade Layers for causing layout issues on websites. This will re-land when fixed.
  • Temporarily backed out the implementation of CSS color-mix for causing crashes. This will re-land when fixed.
  • Per request from our user base, the blank page with the Pale Moon logo (default for new tabs) will now have an appropriate title (for e.g. identification in tab and window title).
  • Further improved the "copy as cURL" devtools function. (CVE-2025-11713)
Implementation notes:
  • There was one reported security issue (CVE-2025-11712) that was investigated but rejected, as adoption of the mitigation for a non-critical sec issue that requires very specific environments to be exploited (with considerable blame for the webmaster) would, in fact, require us to go against some very clear specifications in the HTML standard. Mozilla adopted this primarily for behavioral parity with Chrome. Security impact in the real world was considered to be negligible, and this would have negatively impacted some NPAPI functionality as well.
  • The vast majority of this release cycle's Mozilla security issues centered around vulnerabilities due to its multi-process nature and inter-process communication, which are (of course) not applicable to Pale Moon (or any other UXP browser). Multi-process remains mainstream browsers' Achilles' heel, security wise, even years after moving to that application model. It's ironic that the supposed "big security advantages" of multi-process have been more than undermined by the technology itself.


v33.9.0.1 (2025-09-24)

This is a small, critical update to address issues with the browser's stability and usability due to the 33.9.0 changes to X-Content-Type-Options: nosniff header parsing.

v33.9.0 (2025-09-23)

This is a major development, bugfix and security release, focusing primarily on improving web compatibility.
Special thanks to the students from the University of the Philippines Los Baños for their work on improving CSS in the platform over the summer!

New features:

  • Implemented the CSS4 revert keyword.
  • Implemented the clip keyword for overflow. See implementation notes.
  • Implemented axis-shorthand parsing of overflow. This should fix some issues with areas being unscrollable on the web.
  • Implemented CSS color-mix (RGB and HSL color spaces only).
  • Implemented CSS @supports(selector(<complex selector>)) syntax.
  • Implemented CSS Cascade Layers @layer support.
  • Implemented support for CSS clip-path:<geometry-box> without actually supplying a clip path to use. See implementation notes.
  • Implemented overflow-inline and overflow-block CSS properties.
  • Implemented the :autofill CSS pseudo-class. Auto-filled fields will now also be styled by default to indicate autofilling/password manager recall has occurred.
  • Implemented the :focus-visible CSS pseudo-class.
  • Implemented the prefers-reduced-motion CSS media query. See implementation notes.
  • Implemented a minimal version of the visualViewport web API. See implementation notes.
Changes/fixes:
  • Un-prefixed CSS -moz-user-select and aligned with the user-select CSS4 spec.
  • Un-prefixed CSS -moz-read-only and -moz-read-write pseudo-classes.
  • Improved the handling of X-Content-Type-Options: nosniff to align more with the spec and expected behavior on the web.
  • Added support for FFmpeg 7.0/libavcodec 61.
  • Fixed a bug where sub-properties of CSS border-image would not update when the value they inherit from changes.
  • Fixed a bug where scrollbar-width was incorrectly treated as an inherited property.
  • Fixed an issue where screen/pixel color depth could potentially be mis-reported on Linux.
  • Fixed a potential issue with fontconfig on Linux. We now explicitly initialize fontconfig on startup.
  • Fixed various issues with vpx on PowerPC architectures.
  • Fixed issues when building ffvpx on architectures without assembly support.
  • Fixed a memory safety issue in two-position gradient color-stops code.
  • Changed the way @import rules are processed. They will now be processed in the order of appearance in the importing stylesheet.
  • Changed how TypedArray constructors handle initialization values, aligning with the ECMAScript spec. See implementation notes.
  • Changed how Cache-control HTTP headers are parsed if multiple headers are present in a response.
  • Made additional improvements to "Copy as cURL" devtools command.
  • Security issues addressed: CVE-2025-10536 and CVE-2025-10533 DiD.
Implementation notes:
  • The clip keyword allows you to specify overflow behavior that acts like a "passe-partout". This means any overflow will be hidden and content unscrollable.
    Important note:     we have strictly followed the standard specification here which may result in issues on some websites if they do not explicitly specify overflow behavior in both axes when using clip as a keyword. clip, per the specification, results in unscrollable hidden content. If the other axis is unset, it will result in visible overflow that is also unscrollable (no scrollbar or mousewheel scrolling). Other browsers may default to scrollable visible overflow, instead. If you are a webmaster, please double-check if you are specifying overflow correctly when you are using clip. Because some of clip's behavior may be unintuitive at first glance, it serves well to always be explicit in both directions what kind of overflow behavior is desired.
  • Pale Moon now supports specifying a CSS clip-path with just a geometry box (e.g. border-box) without defining a path. This should fix some websites displaying fully blank pages due to webmasters relying on implied "border-following" clipping when specifying a clip-path this way. Previously, this would result in everything being clipped (which used to be the explicit behaviour when no path definition was provided).
  • The CSS media query prefers-reduced-motion can be used by webmasters to provide alternative styling of web pages when users indicate that they prefer web pages with less visual motion (e.g. for accessibility considerations for people with vestibular motion disorders). Pale Moon users can indicate this preference with a new option in the browser (Preferences -> Advanced -> tab "General" -> "Prefer reduced visual motion" under Accessibility). Please note that this option doesn't change how the browser itself handles e.g. animations or CSS; it is up to the webmaster to make use of this CSS feature to cater to visitors with this preference indicator.
  • We now support a minimal implementation of the visualViewport web API. This API provides webmasters with indicators how much of the visible web pages should be considered "fully visible" to users. This API is primarily designed to cater to mobile traffic where browsers may be impaired by e.g. a camera notch in the screen. Since this isn't a concern on desktop, we always return a fixed (0,0) value for origin and offset. For other parts of the API, we give back the width/height of the root scrollframe of web content, while for scale we pass forward our dpp resolution (usually 1.0).
  • TypedArray constructors can be passed initialization values to indicate the initial size of the array to create. According to the specced behavior, we should accept most values (anything accepted by ToIndex), even those that make no sense (e.g. a string or undefined). This has now been changed to align with that spec and we no longer throw an error in those cases, and simply return a 0-length typed array instead.


v33.8.2 (2025-08-26)

This is a minor development, security and bugfix release.

Changes/fixes:

  • Changed the way the address bar focus is handled when navigating to a fragment (#hash or anchor) within an existing URL. It will now re-focus the page the same way a normal address navigation would (resetting the "editing" state, unless the user is actively typing).
  • Implemented support for the :focus-visible CSS pseudo-class.
  • Fixed a potential race condition in font tables. DiD
  • Fixed potential issues with pthread allocations. DiD
  • Fixed an issue in NSS related to the PKCS12 decoder.
  • Security issues addressed: CVE-2025-9181 and several others that do not have a CVE number.


v33.8.1.2 (2025-08-04)

This is a bugfix update addressing issues with NPAPI plugins not working in v33.8.1.1.
For safety reasons, plugins are now also by default set to "ask to activate". It is recommended you keep this default setting and only allow plugins to be activated specifically on the websites you intend to use them.

v33.8.1.1 (2025-07-30)

This is an important bugfix update.

Changes/fixes:

  • Fixed a browser crash in the new code introduced in 33.8.1 around <object> restrictions.
  • Fixed a regression in the styling of the address bar drop-down making links unreadable when highlighted.

v33.8.1 (2025-07-29)

This is a bugfix and security release.

Changes/fixes:

  • Pale Moon no longer accepts nameless cookies. See implementation notes.
  • Improved the "copy as curl" command in devtools further, partially rolling back the DiD changes in previous versions since we aren't offering cross-platform commands and it caused potential issues with overzealous escaping.
  • Fixed a potential use-after-free scenario in the CSS parser.
  • Fixed uninitialized use of fontconfig scenarios for Linux/GTK.
  • Adjusted CSP URI reporting to more closely match the current spec and common browser behavior.
  • Fixed a potential crash in font handling.
  • Adjusted the size of WASM compiled table size limits to match V8/Gecko.
  • Increased restrictions on the types of data loads <object> elements are allowed to trigger, to match the fetch spec more closely.
  • Fixed build issues for PPC architectures.
  • Security issues addressed: CVE-2025-8031, CVE-2025-8028 (DiD), CVE-2025-8037 (and related), CVE-2025-8029, and several others that do not have a CVE number.
Implementation notes:
  • From this version forward we no longer accept nameless cookies. If a cookie has no name and starts with an equal sign, it is outright rejected. If a cookie consists only of a string with no equal sign, it is interpreted as a valueless cookie with the name set to the string. This departs from our inherited Mozilla behavior where this was previously treated as a nameless cookie with the string as the value.
    RFC 6265 forbids cookies without an equal sign (§5.2 step 2), but browsers accept them anyway for web compatibility reasons (poor web design). Moreover, §5.2 step 5 explicitly forbids nameless cookies.
    Valueless names also make more sense in web context: Set-cookie: itself supports secure and httponly as valueless attributes, and HTML supports valueless attributes as well.
    Our new behavior therefore makes more logical sense, is closer to the spec and general principles, aligns with webkit/Safari and solves a whole class of potential sec bugs like CVE-2025-8037. Apologies if this causes web compat issues, but it's the sane thing to do when encountering non-compliant cookies.

v33.8.0 (2025-07-01)

This is a major development, bugfix and security release.

Changes/fixes:

  • Pale Moon now includes all non-ubiquitous image and media types in the navigation Accept: header, as discussed in the relevant whatwg fetch spec issue.
  • Implemented .toJSON() for DOMRect, DOMPoint and DOMMatrix.
  • Added a base implementation of the SVGGeometryElement API. This is currently limited to .pathLength, getTotalLength() and getPointAtLength(distance)for SVG paths.
  • Added a base-64/character validity grammar check for CSP nonces.
  • Enabled JPEG-XL support unconditionally.
  • Improved desktop ARM media capabilities.
  • Improved our handling of CSP checks (multiple improvements surrounding loading principal checks).
  • Added several Mac-specific file types to be treated as executables.
  • Updated the emoji font to Unicode 16.0.0. We can now finally have the "tired dev" emoji 🫩!
  • Updated SQLite library to 3.50.1.
  • Updated NSS to 3.90.7.1 to fix some issues with some sites due to prior root certificate updates.
  • Updated code dealing with internal URL rewrites for Youtube.
  • Changed the Firefox compatibility mode version to 128.
  • Changed how .click() on <A> elements is handled. See implementation notes.
  • Changed DOMMatrix's rotate() and rotateSelf() functions to accept 3D rotation instead of 2D, per spec.
  • Changed CSS parameter animation to round values instead of truncating them, per spec.
    This affects all integer properties (e.g. z-order) and font-stretching.
  • Changed HTML element attribute parsing to additionally escape < and > characters, per spec.
  • Fixed a regression in XUL <tree> elements where column selection would omit the first-defined column.
  • Fixed a minor issue in DOMSVGPoint finity checks.
  • Fixed some minor platform issues and updated Mac SDK checks.
  • Fixed an issue when device contrast values would be unset in Mac or Windows+DirectWrite.
  • Fixed an issue in 33.7.2's updated "Copy as curl" feature which could potentially mangle URLs.
  • Fixed an issue with FontFaceSet loading.
  • Removed support for very old libavcodec versions (before v58).
  • Removed the CSP referrer directive as it's no longer in the spec.
  • Removed preloading of a number of media libraries on Windows. See implementation notes.
  • Removed the allowance of <A> in image maps. Only <area> is now supported.
  • Removed several obsolete and unused preferences from about:config.
  • Removed obsolete NPN preferences and calls. NPN has long since been replaced by ALPN.
  • Removed obsolete SVGZoomEvent interface and handlers.
  • Security issues addressed: CVE-2025-6429, CVE-2025-6424 (DiD) and CVE-2025-6426.
Implementation notes:
  • Normally, when a script issues a simulated click on an element, that click is issued on the document the element is in. Unfortunately there has been a perceived bug in mainstream browsers where this didn't happen on anchors (<A>, hyperlinks) and the browser would navigate even if that anchor was not actually in a web page document (i.e. just created as a reference in scripting). This was eventually made an accepted behaviour in the specification as an exception, describing this bug as expected behavior. Pale Moon has now changed how it handles .click() events on anchors to follow this behavior. This primarily impacts some select "download button" behavior on the web where this behavior quirk for anchors is relied on.
  • Previously, Pale Moon would preload a number of media .dll files into the browser, causing resource use even if there was no media to be decoded or played back in the browsing session yet. This was primarily done in inherited Mozilla code for EME to work. Since we don't support in-browser DRM, this preloading is wholly unnecessary and has been removed.
You can find the release notes for previous releases of Pale Moon on the Archived Release Notes page.