- Fixed a number of crashes.
- Enabled the opt-in debugging feature to log SSL keys to a file in all builds.
- Added a fix for TLS 1.3 handshakes causing a browser hangup.
Handshakes should be considerably faster now and no longer stall in the wrong circumstances.
- Updated NSPR to 4.15.
- Updated NSS to 3.31.1.
- Fixed a DoS issue using overly long Username in URL scheme (CVE-2017-7783)
- Fixed an issue where (cross domain) iframes could break scope (CVE-2017-7787)
- Fixed an issue in WindowsDllDetourPatcher (CVE-2017-7804)
- Fixed an issue with elliptic curve addition in mixed Jacobian-affine coordinates (CVE-2017-7781)
- Fixed a UAF in nsImageLoadingContent (CVE-2017-7784)
- Fixed a UAF in WebSockets (CVE-2017-7800)
- Fixed a heap-UAF in RelocateARIAOwnedIfNeeded (CVE-2017-7809) DiD (accessibility is disabled)
DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.