- Updated the ICU lib to 58.2 to fix a number of issues.
- Added proper control for the user for offline storage for web applications.
- Added a check to prevent auto-filled URLs from copying the auto-filled selection to clipboard/primary.
- Added the feature to pass a URL to open in a private window from the command-line.
- Improved the display of the downloads indicator on the button in bright-text situations.
- DOM storage now honors the "3rd party cookie" setting in that it will not allow 3rd party data to be stored if 3rd party cookies are disallowed.
- Allowed toolbar button badges to be properly styled.
- Updated the hunspell spellchecking library to 1.6.0 to fix a number of issues.
- Fixed desktop notifications being off-screen if fired in rapid succession.
- Added Element.insertAdjacentElement and Element.insertAdjacentText DOM functions.
- Added support for JPEG-XR images.
This makes Pale Moon have the broadest support for image formats of all web browsers.
(enabled by default; you can disable this with media.jxr.enabled).
- Completely removed the use of GStreamer on Linux.
- Added support for Element.innerText.
- Custom toolbars should now properly remember their state.
- Fixed some more playback issues with MP4/MSE videos.
Please be aware that we are still working on further improving MSE video handling.
- Changed media processing to reduce dangerous processing asynchronicity.
This should also make media elements and playback more responsive.
- Fixed a useragent string regression always displaying the minor Goanna version as .0
- Updated NSPR to 4.13.1.
- Updated NSS to 3.28.3-RTM.
- Fixed unrestricted icon sizes in PMkit buttons.
- Fixed unresponsive buttons on support page when not building the updater.
- Fixed the use of "View image" and "Save image as" on extremely large images.
- Changed the way "View Image" and "Save image as" work on canvas elements.
- Made checking for dangerously large resolution PNG images smarter.
It will now accept larger "strip"-aspect ratio images while reducing unsupported large image resolutions.
This will e.g. fix Gmail's "emoji" window that uses a ridiculously long but very narrow single image to store all the emoticon pictures.
- Converted several hard-coded URLs to preferences.
- Updated the google.com override so it would not cripple services based on UA sniffing.
- Added Inner and Outer Window ID administration.
- Fixed the add-on discovery pane detection.
- Added support for canvas ellipse.
- Improved drawing of certain MathML elements at problematic zoom levels.
- No longer building gamepad support.
- Updated Harfbuzz font shaper to 1.4.3 to fix a number of issues.
- Fixed a number of crashes (layout, plugins, uncommon navigation, bad URLs).
- Aligned SVG specular filters with the spec.
- Added support for 256-bit AES-GCM encryption.
- Added support for ChaCha20-Poly1305 encryption.
- Removed support for Camellia-GCM since nobody seems interested in it.
(Camellia in 128/256-bit CBC block mode is still fully supported)
- Added support for SHA-224, SHA-256, SHA-384 and SHA-512 to Crypto utils.
- Improved status handling of secure sites to be less sensitive to "insecure" items that are local.
- Fixed print preview hijacking. (CVE-2017-5421)
- Fixed a potentially exploitable crash in OnStartRequest. (CVE-2017-5416)
- Fixed potential cross-origin content-stealing through a timing attack. (CVE-2017-5407) DiD
- Fixed a denial-of-service problem with view-source. (CVE-2017-5422)
- Fixed crash in directional controls. (CVE-2017-5413)
- Fixed a perceived problem with chrome manifests. (CVE-2017-5427)
- Fixed the use of an uninitialized value. (CVE-2017-5405)
- Fixed a buffer overflow. (CVE-2017-5412)
- Fixed a UAF situation. (CVE-2017-5403)
- Fixed a potential spoofing issue with the address bar. (CVE-2017-5417)
- Fixed a potential issue in libvpx. (CVE-2017-5402) DiD
- Fixed a potential issue with HTTP auth. (CVE-2017-5418)
- Fixed several memory safety hazards and potentially exploitable crashes. DiD
DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.