|バージョン||27.9.2 27.9.1 27.9.0 27.8.3 27.8.2 27.8.1 27.8.0 27.7.2 27.7.1 27.7.0 27.6.2|
2018/05/19 ver 27.9.2
This is a security and stability update.
We changed the language strings for softblocked items so
people will cry less when we do our job.
(CVE-2018-5174) Prevent potential SmartScreen bypass on
(CVE-2018-5173) Fixed an issue in the Downloads panel
improperly rendering some Unicode characters, allowing for the file
name to be spoofed. This could be used to obscure the file extension of
potentially executable files from user view in the panel.
(CVE-2018-5177) Fixed a vulnerability in the XSLT component
leading to a buffer overflow and crash if it occurs.
(CVE-2018-5159) Fixed an integer overflow vulnerability in
the Skia library resulting in possible out-of-bounds writes.
(CVE-2018-5154) Fixed a use-after-free vulnerability while
enumerating attributes during SVG animations with clip paths.
(CVE-2018-5178) Fixed a buffer overflow during UTF8 to
2018/05/07 ver 27.9.1
This is a maintenance release.
Removed the unused/incomplete places protocol handler.
Worked around an issue with MSE media without a Track ID.
This should help with the playability of some live streams.
Ported across jemalloc improvements from UXP.
Ported across cairo mutex improvements from UXP.
Added support for FFmpeg 4.0/libavcodec 58.
Added a fix for Windows 10's "isAlpha()" not being what one
would expect in v1803.
2018/04/17 ver 27.9.0
This is the last major development update for the v27 milestone
After this, we will be focusing our efforts for new features entirely
on UXP and the new v28 milestone building on it. We will continue to
support v27.9 with security and stability updates for a while, but no
major new features will be added from this point forward.
Fixed a number of spec compliance issues in our media
Added a trailing slash to referrers when policy is set to
fix some web compatibility issues.
Fixed the property order in
Object.getOwnPropertyNames(string) and others for web compatibility.
Updated RegExp(RegExp object, flags) to the ES6 standard
Changed the embedded font from the no longer free EmojiOne
to the open-licensed Twemoji (with additional fixes). This also further
extends unicode support to Unicode 10 emoji(s). Please note that as a
2018/03/29 ver 27.8.3
This is a small update to address a pervasive crashing issue.
Backed out some responsive layout code that caused
intermittent but not uncommon crashes in the browser depending on
window sizes and page content.
2018/03/23 ver 27.8.2
This is a security update.
Privacy fix: prevented update checks for the default theme.
Added a user-agent override for Dropbox to improve
compatibility with their service.
Fixed an issue with mouseover handling related to
Disabled the Mac OSX Nano allocator. DiD
Fixed (CVE-2018-5129) OOB Write.
Updated the lz4 library to 1.8.0 to solve potential issues.
Fixed (CVE-2018-5137) Path traversal on chrome:// URLs
Fixed several memory safety an synchronicity hazards.
DiD This means that
2018/03/06 ver 27.8.1
This is a small update to address some breaking issues.
Backed out the NSPR/NSS update from 27.8.0 for causing
crashes, general operational instability and handshake issues.
Disabled TLS 1.3 draft support by default, because with the
NSS backout we only support an older draft right now that is no longer
current and may cause connectivity issues. You can manually re-enable
it at your own risk in about:config by setting security.tls.version.max
2018/03/02 ver 27.8.0
This is a development update with new and improved features and
Added support for emojis on Windows systems that have
relatively poor support for them with standard font sets by including
our own font (EmojiOne based for now).
Added a setting in preferences to select the use of tab
previews with Ctrl+Tab.
Added Eyedropper menu entry to the AppMenu.
Added a preference to control whether the text cursor
(caret) should be thicker when dealing with CJK characters or not
(default = yes).
Added URL fix-ups for schemes (mis-typed "ttp://" etc.).
Added support for ES6 "Symbol species".
Updated our TLS 1.3 support to the latest (probably final)
Fixed gap inconsistency in the tabstrip.
Fixed a number of browser crashes.
2018/02/01 ver 27.7.2
This is a security and stability update.
Changed the X-Content-Type-Options: nosniff
behavior to only check "success" class server responses, for web
Changed the performance timer resolution once more to a
granularity of 1 ms, after evaluating more potential ways of abusing
This takes the most cautious approach possible lacking more information
(because apparently NDAs have been signed over this between mainstream
players), follows Safari's lead, and should make it not just infeasible
but downright impossible to use these timers for nefarious purposes in
Improved the debug-only startup cache wrapper to prevent a
Fixed a crash in the XML parser.
Added a check for integer overflow in AesTask::DoCrypto()
2018/01/18 ver 27.7.1
This is a minor emergency update to address website breakage and a
Added support for Array.prototype[@@unscopables].
was incomplete, which caused a number of websites (e.g. Chase on-line
banking, some Russian government sites) to display blank or not
complete loading after updating to that version of the browser. This
update should fix the problem by adding the missing part of the feature.
Fixed an issue with the default theme causing tab borders
to be drawn too thick at higher settings for visual element scaling
(125%/150%) in Windows.
2018/01/16 ver 27.7.0
This is a stability and bugfix release, as well as adding a number of
new features to further improve web compatibility.
Reorganized access to preferences (moved to the Tools menu
on Linux, and renamed from "Options" to "Preferences" on Windows).
Renamed "Restart with add-ons disabled" to "Restart in Safe
Mode" to better reflect what it does.
Worked around an issue with some improperly-encoded PNG
files not decoding after our libpng update.
Fixed an issue on Mac builds not properly populating the
Added "My home page" as an option for new tabs.
Added an option to disable the 4th and 5th mouse buttons
(mouse.button4.enabled and mouse.button5.enabled,
Improved the resetting of non-default profiles.
Fixed an issue with details/summary having the incorrect
2017/11/29 ver 27.6.2
This is a security and minor bugfix update to the browser.
This will most likely be the last update for 2017, with the holidays
not far away.
Implemented the concept of so-called "cookie-averse
document objects" which is a security&privacy measure that blocks
certain web content from setting cookies. This mitigates
cookie-injection, which might help against "hidden" cookie tracking.
Mitigated some domain name spoofing through IDN by using
dotless-i and dotless-j with accents. (CVE-2017-7832)
Pale Moon will display these kinds of spoofed domains in punycode now
in the actual address bar.
Please note that the identity panel will always be able to help you on
secure sites when IDNs are in use to notice potential spoofing, as
opposed to relying on detection algorithms in the URL itself. As such,
some other issues like CVE-2017-7833 are already mitigated by us.
Fixed an issue with mixed-content blocking. (CVE-2017-7835)