This is an important update to improve features and performance, as well as address important security issues.
- Overhauled WebGL. It now properly supports depth textures, shadow mapping and glow shaders.
Note that older operating systems or video cards may be limited in their support of these features.
- Updated the ANGLE library to a much more current version.
- Removed the crash reporter code completely to improve overall browser responsiveness and operation.
Please note that a necessary victim of this has been the in-browser (devtools) SPS profiler because of its reliance on crash reporter data-gathering tools.
- Removed the Mozilla Plugin Finder Service (no longer in use @Mozilla).
- Android: removed the Mozilla "product announcements" service.
- Re-added control of the number of concurrent tabs to be restored from a session with browser.sessionstore.max_concurrent_tabs (accepted values 1-10)
- Significantly improved performance and accuracy of date/time/timer handling.
- Significantly improved performance of the creation of DOM nodes with plain text content.
- Added several code performance optimizations and bugfixes in SVG, the presentation shell, SCTP, style gradients and CSS parsing routines. (Thanks, Axiomatic!)
- Added an "Open link in current tab" context menu entry on links for UI consistency.
- Updated styling of the browser with personas (lightweight themes) once more to improve display in tabs-on-top mode, improve overall legibility of tab text, and display of inverted close buttons on some controls on dark personas.
- Added a special case check for the Flash plugin version check on Linux failing due to commas instead of periods in the version string.
- Added Windows 10 compatibility in executable manifests.
- Android: Fixed a crash on GL canvas surfaces.
- Fixed incorrect Sync "howto" instruction links from the Sync dialogs.
- Fixed the color of selected tabs in Linux when personas (lightweight themes) are in use that do not match the overall tone of the OS system theme.
- Fixed a bug where the address bar would incorrectly be cleared.
- Fixed padding issues for dropdown lists.
- Fixed DNS lookups so proper record types are requested for IPv4 and IPv6.
- Disabled all RC4-based encryption ciphers by default.
- Fixed several miscellaneous memory safety hazards.
(applicable bugs related to CVE-2015-0835 and CVE-2015-0836)
- Fixed loading of locally stored DLL files through the internal updater. (CVE-2015-0833)
- Fixed a potential crash point in IndexedDB. (CVE-2015-0831) DiD
- Fixed a double-free situation when using non-default memory allocators and a 0-length XHR. (CVE-2015-0828)
Note: production builds of Pale Moon were never vulnerable.
- Fixed a crash using DrawTarget in the Cairo graphics library. (CVE-2015-0824)
- Fixed potential reading of local files through manipulation of form autocomplete. (CVE-2015-0822)
- Fixed a potential PNG heap-overflow crash. DiD
- Followed up on research regarding CVE-2014-8639 (see 25.2) and made cookie handling through proxies more restrictive again.
DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.