Pale Moon

v34.0.1 (2026-01-22)
This is a minor release to address some critical issues in the new
milestone.
Changes/fixes:
Backed out the expat library update for causing memory
inflation and browser hang issues on XUL/XML and SVG files with
particularly large attributes.
Backed out the change of the Javascript PRNG for causing
intermittent issues and crashes on 32-bit platforms.
Both of these issues are being investigated and can hopefully re-land
with the next development release.

v34.0.0 (2026-01-20)
This is a new milestone release! There are many changes in this
milestone; the most important ones are highlighted here.
New features:
Our default theme on Windows received a refresh and update.
It should integrate better with Windows 11 now, and be more responsive
to dark accent colors, among other things.
Implemented WeakRef. See implementation notes.
Implemented URL.canParse().
Implemented the inset-block and inset-inline
CSS shorthands.
Added a preference (privacy.forgetaboutsite.clearPasswords)
to control clearing of passwords when
using "forget about this site" in the permissions manager, and disabled
clearing of passwords by default, since it was considered unexpected
behavior by the community.
Changed our JavaScript PRNG to Xoroshiro128++ to make it
more robust while keeping high performance.
Important updates and fixes:
(省略されました)

v33.9.1 (2025-10-21)
This is a bugfix and security update.
Changes/fixes:
Temporarily backed out the implementation of CSS Cascade
Layers for causing layout issues on websites. This will re-land when
fixed.
Temporarily backed out the implementation of CSS color-mix
for causing crashes. This will re-land when fixed.
Per request from our user base, the blank page with the
Pale Moon logo (default for new tabs) will now have an appropriate
title (for e.g. identification in tab and window title).
Further improved the "copy as cURL" devtools function. (CVE-2025-11713)
Implementation notes:
There was one reported security issue (CVE-2025-11712) that
was investigated but rejected, as adoption of the mitigation for a
non-critical sec issue that requires very specific environments to be
exploited (with considerable blame for the webmaster) would, in fact,
require us to go against some very clear specifications in the HTML
standard. Mozilla adopted this primarily for behavioral parity with
(省略されました)

v33.9.0.1 (2025-09-24)
This is a small, critical update to address issues with the browser's
stability and usability due to the 33.9.0 changes to X-Content-Type-Options:
nosniff header parsing.
Mac and FreeBSD will follow shortly when the maintainer has been able
to build the update.
This is a major development, bugfix and security release, focusing

v33.9.0 (2025-09-23)
This is a mjor development, bugfix and security release, focusing
primarily on improving web compatibility.
Special thanks to the students from the University of the Philippines
Los Baños for their work on improving CSS in the platform over the
summer!
New features:
Implemented the CSS4 revert keyword.
Implemented the clip keyword for overflow.
See implementation notes.
Implemented axis-shorthand parsing of overflow.
This should fix some issues with areas being unscrollable on the web.
Implemented CSS color-mix (RGB and HSL color
spaces only).
Implemented CSS @supports(selector(<complex
selector>)) syntax.
Implemented CSS Cascade Layers @layer support.
Implemented support for CSS clip-path:<geometry-box>
without actually supplying a clip path to use. See implementation notes.
(省略されました)

v33.8.2 (2025-08-26)
This is a minor development, security and bugfix release.
Changes/fixes:
Changed the way the address bar focus is handled when
navigating to a fragment (#hash or anchor) within an existing URL. It
will now re-focus the page the same way a normal address navigation
would (resetting the "editing" state, unless the user is actively
typing).
Implemented support for the :focus-visible
CSS pseudo-class.
Fixed a potential race condition in font tables. DiD
Fixed potential issues with pthread allocations. DiD
Fixed an issue in NSS related to the PKCS12 decoder.
Security issues addressed: CVE-2025-9181 and several others
that do not have a CVE number.

v33.8.1.2 (2025-08-04)
This is a bugfix update addressing issues with NPAPI plugins not
working in v33.8.1.1.
For safety reasons, plugins are now also by default set to "ask to
activate". It is recommended you keep this default setting and only
allow plugins to be activated specifically on the websites you intend
to use them.
v33.8.1.1 (2025-07-30)
This is an important bugfix update.
Changes/fixes:
Fixed a browser crash in the new code introduced in 33.8.1
around <object> restrictions.
Fixed a regression in the styling of the address bar
drop-down making links unreadable when highlighted.
v33.8.1 (2025-07-29)
This is a bugfix and security release.
Changes/fixes:
Pale Moon no longer accepts nameless cookies. See
implementation notes.
(省略されました)

v33.7.2 (2025-06-03)
This is a security release.
Changes/fixes:
Addressed PWN2OWN-2025-1 (out of bounds read or write in promise)
DiD
Addressed PWN2OWN-2025-2 (out of bounds read or write when
using the ExtractLinearSum optimization) DiD
Fixed potential unexpected behavior in embedded protobuf
code. DiD
Fixed an issue with potentially uninitialized contrast
values when enhanced device contrast values can not be read from the
O.S. DiD
Fixed potential sanitization issues with devtools' "Copy as
curl" feature.
It should be noted that we do not currently offer cross-platform "curl"
features, so this is another DiD
for this release.

v33.7.1 (2025-05-06)
This is bugfix and security release.
Changes/fixes:
Fixed a crash dealing with BigInt in
Javascript compilation.
Updated NSS to 3.90.7 to pick up a security fix.
Updated devtools to escape some more characters in "Copy as
cURL" on POSIX operating systems. DiD

v33.7.0 (2025-04-08)
This is a development, bugfix and security release.
Changes/fixes:
Implemented CSS two-location color stop logic. This allows
for two-location color stops (`color x% y%`) in gradients,
which is shorthand for `color x%, color y%` where both
colors are equal.
Our minimum GCC version requirement to build is now 9.1.
Improved channel handling when CSP blocks network redirects.
Implemented several fixes for CORS preflight requests.
Added explicit whitelisting from CSP content loading of javascript:
scheme URLs.
Updated the ffvpx library to 6.0.1, this time preventing
video color range regressions. An update to 6.0 was previously backed
out in 33.5.0.
Updated the JPEG-XL library to 0.11.1 to pick up several
fixes and improve decoding compatibility of jxl files.
Updated the SQLite library to 3.49.1.
Fixed a spec compliance issue with DOMRect and DOMQuad
(省略されました)

v33.6.1 (2025-03-11)
This is a security, bugfix and stability update.
Important: Mac
and FreeBSD builds will be updated soon. They are currently not yet
ready due to builder absence.
Changes/fixes:
Simplified some WASM code generation in the Ion JIT
compiler.
Fixed a crash in loading external resource maps.
Disabled potentially unsafe attempts at recovering JIT
operations.
Fixed some minor linking issues in about:rights.
Updated the embedded emoji font to fix incorrect display of
some of the wheelchair emoji.
Security issues addressed: CVE-2025-1934 (DiD).