IMPORTANT: If you use a language pack, make sure to update it to the latest version! We do have automatic updates enabled for language packs but please double-check that the version matches. If you are using an older language pack with this version of the browser, some dialog boxes may come up blank.
This is a major update - a release with many changes and fixes, the most important ones highlighted below.
- Updated SQLite from 3.7.17 to v126.96.36.199, improving history/bookmark/etc. performance by up to 50% depending on operation.
- Added a new "mixed-mode" state for HTTPS connections. Clarified mixed-mode connections with a mixed-mode padlock and better tooltips.
- Added a conditional partial shading to the URL bar and made it default (shading only on secure sites, no red shading at all by default).
Of course you can still use the previous shading if you wish by setting browser.padlock.urlbar_background to 1
- Dev: Fixed file system mode flags for *nix systems, to make executable files like scripts actually flagged as executable
- Added native IPv6 lookups to NSPR to solve IPv6-only and dual-stack setups in some situations
- Added a pref to control the unloading of idle plugins from memory and lowered the default "idle" time to 60 seconds before plugins are unloaded.
The new preference is dom.ipc.plugins.unloadTimeoutSecs and lists the delay before unloading in seconds. If you want to immediately unload plugins when you close a page or navigate away (warning: this can cause spurious loading/unloading and slow down the browser!), set this value to 0.
- Fixed version strings for e.g. flash on Linux being displayed with commas instead of periods - this should also fix the incorrect "your plugin is vulnerable" message while being on the latest version.
- Windows: Set the double-click/Ctrl+arrow word selection to not eat the space (only select the actual word).
If you want to restore the previous behavior, set the preference layout.word_select.eat_space_to_next_word to true.
- Android: DNS fix for VPN connections, preventing the "server not found" issues people have been reporting for certain VPN providers on mobile.
- Updated a number of trusted root certificates, and distrusted the CNNIC root certificate by popular demand.
- Linux: Worked around the slice memory allocator not being properly disabled on later GLib versions, causing errors to be thrown in the terminal/console and not using the intended memory allocator.
- Android: updated the random number generator handling on later versions of Android.
- Added fix to prevent spurious re-paints with plugins (performance/UX improvement).
- Removed the plugin check link from the Addons Manager, since it's no longer reliable and not officially available for browsers except Mozilla Firefox. (Bonus: no user profiling/tracking through optimizely!).
- Optimized the NSS callback for secure connections.
- Updated the domains that are whitelisted for installation of extensions/themes/personas, streamlining the use of addons.palemoon.org.
- Added personas support to titlebar text (adopt the lightweight theme's coloring/shading) in custom titlebar mode (Pale Moon appmenu/button).
- Added display of HTTPS protocol (SSL/TLS) to the page info window (thanks Travis!).
- Improved certificate display: Removed MD5 and added SHA256 fingerprint, and made them selectable/copyable.
- Updated classification of secure connections: Classify any encryption with less than 128 bits or including RC4 (if manually enabled, see previous version notes) as weak.
- Dev: Added availability of the full ciphersuite string for use in extensions to the nsISSLStatus interface (nsISSLStatus.cipherSuite).
- Dev: Added MAKE_UNLINKABLE to the about: page redirector and added that as default for the reader mode on Android.
If you are an extension developer who wants to provide your own about: page, you should also make it unlinkable this way to prevent undesired use in web pages.
- Removed the compilation and inclusion of a one-time-use pre-compiled startup cache in omni.ja, reducing overall application size significantly and avoiding a number of quirks of both the build process and the operation of the browser.
- Fixed an NVIDIA specific GLX server vendor bug for pixmap depth and fbConfig depth.
- Removed most telemetry code, reducing code complexity and wasted CPU.
Depending on your computer in use, this may be a significant change to the smoothness of browser operation.
- Linux: Added OSS support (mutually exclusive with ALSA): configure with --enable-oss
- Made DNS caching a lot less aggressive to align the browser's behavior with the dynamic nature of the modern web.
- Removed Mozilla-specific parameters for searches. Search suggestions should now work again for Google searches.
- Added the option to allow users to use a fixed (JSON) file-based geolocation response in favor of a GeoIP service.
- Dev: Improvements to Clang builds (thanks Axiomatic/BitVapor!). Clang is not currently producing stable builds on Linux, so please use GCC for that operating system.
- Linux: removed GnomeVFS that's no longer in use.
- Fixed the "double padlock while loading a secure site" niggle in the UI.
- Dev: added allowance of using -moz-appearance:none on drop-down lists to hide the arrow button (catering to custom styling of the control).
- Added some more ES6 math/number functions:
- Implemented Math.fround(x)
- Implemented Number.isSafeInteger(x)
- Implemented Math.clz32(x)
- Fixed several memory safety hazards (UAF/DF/UU); applicable bugs covered by CVE-2015-0815 and CVE-2015-0815.
- Fixed CVE-2015-0811 [qcms] heap info leak.
- Fixed CVE-2015-0810 clickjacking attacks via a Flash object in conjunction with DIV elements.
- Fixed CVE-2015-0801 a variant of CVE-2015-0818.
- Fixed CVE-2015-0800 improve randomness of DNS resolver queries on Android.
- Fixed CVE-2015-0798 access to privileged URLs through about: redirector.