Pale Moon 33.2.0

Pale Moon is an Open Source, Goanna-based web browser available for Microsoft Windows, Linux and Android, focusing on efficiency and ease of use. Make sure to get the most out of your browser!

Pale Moon offers you a browsing experience in a browser completely built from its own, independently developed source that has been forked off from Firefox/Mozilla code, with carefully selected features and optimizations to improve the browsers speed, resource use, stability and user experience, while offering full customization and a growing collection of extensions and themes to make the browser truly your own.

Features:

  • Optimized for modern processors
  • Based on proprietary optimized layout engine (Goanna)
  • Safe: forked from mature Mozilla code and regularly updated
  • Secure: Additional security features and security-aware development
  • Supported by our user community, and fully non-profit
  • Familiar, efficient, fully customizable interface
  • Support for full themes: total freedom over any elements design
  • Support for easily-created lightweight themes (skins)
  • Smooth and speedy page drawing and script processing
  • Increased stability: experience fewer browser crashes
  • Support for many Firefox extensions
  • Support for a growing number of Pale Moon exclusive extensions
  • Extensive and growing support for HTML5 and CSS3
  • Many customization and configuration options

Pale Moon 33.2.0 changelog:

This is a development, stability and security release.Note: Mac builds have switched to Xcode 15 and are now cross-compiled from Apple silicon for Intel targets. While the resulting builds have been tested on a few Intel Mac systems, this is a big build change, so please get in touch through Pale Moon forum if you experience any issues with these builds on Mac.New features

  • Implemented the missing parts of the html5 element, including modal handling and custom backdrops.
  • Implemented courser, user-configurable granularity for the canvas poisoning anti-fingerprinting measure. See implementation notes.
  • Implemented new CSS viewport units svw, svh, svmin, svmax, lvw, lvh, lvmin, lvmax, dvw, dvh, dvmin and dvmax.
  • Implemented new CSS logical viewport units vb, vi, svb, svi, lvb, lvi, dvb and dvi.

Changes/fixes

  • Removed the archaic and wholly outdated FIPS security module code.
  • Removed the archaic DBM support code for storing of passwords in DBM format files.
  • Removed the -moz prefix from -moz-fit-content, aligning with the current CSS standard fit-content value.
  • Updated our build system by adopting parts of the old autoconf 2.13 as maintained code. autoconf 2.13 is no longer a build requirement. If you build from source, you may want to review your dependencies with this change.
  • Fixed issues when building with GCC 14.* and Clang 16.*.
  • Fixed issues with emoji sequence clusters causing incorrect rendering of emoji glyphs in some cases.
  • Made some arguments to the legacy XPathEvaluator/XPathExpression interfaces optional for web compatibility.
  • Fixed a crash when reporting JavaScript module exporting errors.
  • Updated checking of special cookie prefixes to be case-insensitive in accordance with the current RFC 6265 (bis-11+).
  • Fixed issues with external protocol handlers.
  • Fixed an issue where autocomplete pop-ups would stay open in some circumstances.
  • Fixed an issue with potentially bad file names being entered by the user to "Save As...".
  • Fixed several crashes and race conditions.
  • Security issues addressed: CVE-2024-5699, CVE-2024-5702 DiD, CVE-2024-5690, CVE-2024-5698 DiD, CVE-2024-5688 DiD, CVE-2024-5692 and several other security issues (some more DiD) that do not have CVE numbers assigned to them.

Implementation notes

  • While we have had canvas data poisoning as an option for a very long time (we introduced it as a concept), it was pointed out that having a fast rotation on the poisoning leading to new and unique canvas hashes every time a user would navigate was a red flag to trackers that poisoning is being employed, mitigating its intent. A different implementation of canvas poisoning was created that will still provide human-imperceptible data manipulation of canvases leading to bogus hashes for trackers, but now in such a way that this hash will not change for a courser, but variable time frame. This time frame defaults to 5 minutes in this release, which may be tweaked in the future if necessary, but is also entirely user-configurable between 1 second and 8 hours with the preference canvas.poisondata.interval (indicated in seconds).