Updates 6/18/24 - Pale Moon

Pale Moon v33.2.0 (2024-06-18)

This is a development, stability and security release.

Note: Mac builds have switched to Xcode 15 and are now cross-compiled from Apple silicon for Intel targets. While the resulting builds have been tested on a few Intel Mac systems, this is a big build change, so please get in touch through our forum if you experience any issues with these builds on Mac.

New features:

• Implemented the missing parts of the html5 <dialog> element, including modal handling and custom backdrops.
• Implemented courser, user-configurable granularity for the canvas poisoning anti-fingerprinting measure. See implementation notes.
• Implemented new CSS viewport units svw, svh, svmin, svmax, lvw, lvh, lvmin, lvmax, dvw, dvh, dvmin and dvmax.
• Implemented new CSS logical viewport units vb, vi, svb, svi, lvb, lvi, dvb and dvi.

Changes/fixes:

• Removed the archaic and wholly outdated FIPS security module code.
• Removed the archaic DBM support code for storing of passwords in DBM format files.
• Removed the -moz prefix from -moz-fit-content, aligning with the current CSS standard fit-content value.
• Updated our build system by adopting parts of the old autoconf 2.13 as maintained code. autoconf 2.13 is no longer a build requirement. If you build from source, you may want to review your dependencies with this change.
• Fixed issues when building with GCC 14.* and Clang 16.*.
• Fixed issues with emoji sequence clusters causing incorrect rendering of emoji glyphs in some cases.
• Made some arguments to the legacy XPathEvaluator/XPathExpression interfaces optional for web compatibility.
• Fixed a crash when reporting JavaScript module exporting errors.
• Updated checking of special cookie prefixes to be case-insensitive in accordance with the current RFC 6265 (bis-11+).
• Fixed issues with external protocol handlers.
• Fixed an issue where autocomplete pop-ups would stay open in some circumstances.
• Fixed an issue with potentially bad file names being entered by the user to "Save As...".
• Fixed several crashes and race conditions.
• Security issues addressed: CVE-2024-5699, CVE-2024-5702 DiD, CVE-2024-5690, CVE-2024-5698 DiD, CVE-2024-5688 DiD, CVE-2024-5692 and several other security issues (some more DiD) that do not have CVE numbers assigned to them.

Implementation notes:

• While we have had canvas data poisoning as an option for a very long time (we introduced it as a concept), it was pointed out that having a fast rotation on the poisoning leading to new and unique canvas hashes every time a user would navigate was a red flag to trackers that poisoning is being employed, mitigating its intent. A different implementation of canvas poisoning was created that will still provide human-imperceptible data manipulation of canvases leading to bogus hashes for trackers, but now in such a way that this hash will not change for a courser, but variable time frame. This time frame defaults to 5 minutes in this release, which may be tweaked in the future if necessary, but is also entirely user-configurable between 1 second and 8 hours with the preference canvas.poisondata.interval (indicated in seconds).

=======

Available via the internal updater:   Help / Check for Updates

or Full downloads:   Pale Moon for Windows downloads