Pale Moon

v33.8.2 (2025-08-26)
This is a minor development, security and bugfix release.
Changes/fixes:
Changed the way the address bar focus is handled when
navigating to a fragment (#hash or anchor) within an existing URL. It
will now re-focus the page the same way a normal address navigation
would (resetting the "editing" state, unless the user is actively
typing).
Implemented support for the :focus-visible
CSS pseudo-class.
Fixed a potential race condition in font tables. DiD
Fixed potential issues with pthread allocations. DiD
Fixed an issue in NSS related to the PKCS12 decoder.
Security issues addressed: CVE-2025-9181 and several others
that do not have a CVE number.

v33.8.1.2 (2025-08-04)
This is a bugfix update addressing issues with NPAPI plugins not
working in v33.8.1.1.
For safety reasons, plugins are now also by default set to "ask to
activate". It is recommended you keep this default setting and only
allow plugins to be activated specifically on the websites you intend
to use them.
v33.8.1.1 (2025-07-30)
This is an important bugfix update.
Changes/fixes:
Fixed a browser crash in the new code introduced in 33.8.1
around <object> restrictions.
Fixed a regression in the styling of the address bar
drop-down making links unreadable when highlighted.
v33.8.1 (2025-07-29)
This is a bugfix and security release.
Changes/fixes:
Pale Moon no longer accepts nameless cookies. See
implementation notes.
(省略されました)

v33.7.2 (2025-06-03)
This is a security release.
Changes/fixes:
Addressed PWN2OWN-2025-1 (out of bounds read or write in promise)
DiD
Addressed PWN2OWN-2025-2 (out of bounds read or write when
using the ExtractLinearSum optimization) DiD
Fixed potential unexpected behavior in embedded protobuf
code. DiD
Fixed an issue with potentially uninitialized contrast
values when enhanced device contrast values can not be read from the
O.S. DiD
Fixed potential sanitization issues with devtools' "Copy as
curl" feature.
It should be noted that we do not currently offer cross-platform "curl"
features, so this is another DiD
for this release.

v33.7.1 (2025-05-06)
This is bugfix and security release.
Changes/fixes:
Fixed a crash dealing with BigInt in
Javascript compilation.
Updated NSS to 3.90.7 to pick up a security fix.
Updated devtools to escape some more characters in "Copy as
cURL" on POSIX operating systems. DiD

v33.7.0 (2025-04-08)
This is a development, bugfix and security release.
Changes/fixes:
Implemented CSS two-location color stop logic. This allows
for two-location color stops (`color x% y%`) in gradients,
which is shorthand for `color x%, color y%` where both
colors are equal.
Our minimum GCC version requirement to build is now 9.1.
Improved channel handling when CSP blocks network redirects.
Implemented several fixes for CORS preflight requests.
Added explicit whitelisting from CSP content loading of javascript:
scheme URLs.
Updated the ffvpx library to 6.0.1, this time preventing
video color range regressions. An update to 6.0 was previously backed
out in 33.5.0.
Updated the JPEG-XL library to 0.11.1 to pick up several
fixes and improve decoding compatibility of jxl files.
Updated the SQLite library to 3.49.1.
Fixed a spec compliance issue with DOMRect and DOMQuad
(省略されました)

v33.6.1 (2025-03-11)
This is a security, bugfix and stability update.
Important: Mac
and FreeBSD builds will be updated soon. They are currently not yet
ready due to builder absence.
Changes/fixes:
Simplified some WASM code generation in the Ion JIT
compiler.
Fixed a crash in loading external resource maps.
Disabled potentially unsafe attempts at recovering JIT
operations.
Fixed some minor linking issues in about:rights.
Updated the embedded emoji font to fix incorrect display of
some of the wheelchair emoji.
Security issues addressed: CVE-2025-1934 (DiD).

v33.6.0.1 (2025-02-20)
This is an extra update to mitigate as much of the CloudFlare issues
leading to browser hangs and memory issues as possible on the web
browser side. Unfortunately CloudFlare still hasn't pulled their
scripts that seem to deliberately
cause these issues on Pale Moon and other independent browsers they
seem to want to keep from the websites they "protect". If you are
interested in learning more, check out the forum thread where we're discussing this issue.
Once again, please consider reporting any and all
occurrences of failing or looping CloudFlare checks on websites to
CloudFlare as well as the owners of affected websites (you may have to
temporarily use a Chromium-based browser to do this).
Changes/fixes:
Disabled CSP reporting temporarily to work around memory
issues caused by CloudFlare's scripting. While CSP reporting is
important to inform webmasters of issues with their content security
policies, not having the browser eat up all memory is more critical. We
do intend to re-enable this when the issue is resolved on CloudFlare's
side.
(省略されました)

v33.6.0 (2025-02-07)
This is a development, bugfix and security release.
Due to the fact that CloudFlare has been causing application crashes
that impacts many users, this release has been pulled forward a few
days to address these crashes with priority (should be fixed in this
release).
Please note that at the time of publication of this browser version and
release notes, even though crashes have been fixed, CloudFlare is
denying UXP-based browsers as well as several other independent/smaller
browsers access to many websites by way of their malfunctioning
"security check" or captcha, with no
priority given to actually fix it despite it being denial of service
for users of affected browsers. Please consider reporting any and all
occurrences of a failing or looping CloudFlare checks on websites to
CloudFlare as well as the owners of affected websites (you may have to
temporarily use a Chromium-based browser to do this).
Changes/fixes:
Implemented a content sniffer for ADTS and raw AAC audio.
Implemented AbortSignal.abort() and stub AbortSignal.timeout().
(省略されました)

v33.5.1 (2025-01-15)
This is a small bugfix and security release.
Changes/fixes:
Changed the way cookies are handled internally to fix an
issue with cookie database corruption as a result of updates to domain
suffixes.
Fixed an issue with Alternative-Services protocol
negotiation.
Fixed a potential crash scenario with Structured Clone
operations. DiD
Fixed a potential issue with line breaking if out of memory.
Fixed a rare crash with opportunistic encryption.
Minor code cleanup.
Security issues addressed: CVE-2025-0239 and CVE-2025-0238.
2009-2025 Moonchild Productions - All rights reserved
Important legal considerations surrounding Pale Moon.

v33.5.0 (2024-12-05)
This is a development, bugfix and security release.
Note: Intel Mac builds are now "ad hoc" signed instead of unsigned,
which should solve potential issues with newer macOS while still being
compatible with old OS X. If you experience issues, please post in the Mac
board on the forum for support.
Changes/fixes:
Implemented Regular Expression "match indices" (/d) feature.
Added a way to programmatically clear the DNS cache in the
browser, and added a button to the UI for it in about:networking.
Updated handling of referrer policies to adhere to the
updated spec.
CSS font variations keywords no longer throw
an error. See implementation notes.
CSS border-radius will now also apply to
element outlines.
Improved the display of amount of cached web content in
preferences when cache is being cleared.
Improved the installer AVX check to skip on early versions
(省略されました)

v33.4.0.1 (2024-10-09)
This is a small update to address two important issues:
Extension compatibility issues with the ghostbuster
(leading to tab handling problems).
Windows 7 compatibility issues in 32-bit builds on some
systems (leading to application UI paint failures/black window).