The Pale Moon development team has released a new version of the web browser. The new version is a security and usability update and as such a recommended update for users of the browser.

Pale Moon 27.9.4 is offered through the web browser's automatic updating system and as a separate download. Pale Moon users select Pale Moon > Help > About Pale Moon to display the current version. A click on Check for Updates runs an update check; any new version found during the check can be downloaded and installed using the functionality.

Users who prefer to download the web browser manually instead can do so on the official project website.

Pale Moon 27.9.4

Pale Moon 27.9.4 introduces several usability improvements in the web browser. Users who had issues downloading and install extensions from Mozilla's official Add-ons repository should be able to do so again.

The new version updates the useragent for Mozilla's Add-ons website to circumvent the "only with Firefox" reminders when accessing the site with the Pale Moon browser. The change should provide Pale Moon users with theme and extension downloads on Mozilla's website.

The team removed references to Mozilla's add-ons store in Pale Moon in early 2018 to prepare for the inevitable removal of all classic add-ons from Mozilla AMO. Work on another browser, called Basilisk, began in 2017.

While Pale Moon users cannot install WebExtensions in the browser, the bulk of legacy add-ons should work fine. The Pale Moon team maintains its own extensions store on the official website.

Pale Moon restricts web access to the moz-icon:// scheme because it "could potentially be abused to infringe the user's privacy". Last but not least, the new version does include a fix for the preference file not being writable.

The new version of Pale Moon includes several security fixes and Defense-in-Depth changes:

  • Prevented various location-based threats.
  • Fixed a potential vulnerability with plugins being redirected to different origins (CVE-2018-12364).
  • Improved the security check for launching executable files (by association) on Windows from the browser. For users who have (most likely accidentally) granted a system-wide waiver for opening these kinds of files without being prompted, this permission has been reset.
  • Fixed an issue with invalid qcms transforms (CVE-2018-12366).
  • Fixed a buffer overflow using the computed size of canvas elements (CVE-2018-12359).
  • Fixed a use-after-free when using focus() (CVE-2018-12360).
  • Added some sanity checks on nsMozIconURI.

Closing Words

Pale Moon users should consider installing the update as soon as possible as it includes security updates and other improvements. As always, it is advised to create a backup of the profile before the update is applied.