Software-update: Pale Moon 33.8.2

Versie 33.8.2 van Pale Moon is uitgekomen. Deze webbrowser is ooit begonnen als een fork van Mozilla Firefox. Door optimalisaties voor moderne hardware en het weglaten van Accessibility-features en Parental Controls presteerde hij toen een stuk beter. Ook was er een 64bit-versie beschikbaar, ruim voordat Mozilla deze zelf aanbood. Intern werkt het op Goanna, een van Mozilla's Gecko afgeleide browserengine. De browser is beschikbaar voor Windows, Linux en macOS, en als bèta ook voor FreeBSD. De download van Pale Moon is alleen in het Engels; een apart Nederlands taalbestand is beschikbaar. Tegenwoordig is het ook vanuit de Microsoft Store te installeren. Sinds versie 33.8.0 zijn de volgende veranderingen en verbeteringen doorgevoerd:

Pale Moon 33.8.2

This is a minor development, security and bugfix release.

Changes/fixes:

• Changed the way the address bar focus is handled when navigating to a fragment (#hash or anchor) within an existing URL. It will now re-focus the page the same way a normal address navigation would (resetting the "editing" state, unless the user is actively typing).
• Implemented support for the :focus-visible CSS pseudo-class.
• Fixed a potential race condition in font tables.
• Fixed potential issues with pthread allocations.
• Fixed an issue in NSS related to the PKCS12 decoder.
• Security issues addressed: CVE-2025-9181 and several others that do not have a CVE number.

Pale Moon 33.8.1.2

This is a bugfix update addressing issues with NPAPI plugins not working in v33.8.1.1.
For safety reasons, plugins are now also by default set to "ask to activate". It is recommended you keep this default setting and only allow plugins to be activated specifically on the websites you intend to use them.

Pale Moon 33.8.1.1

This is an important bugfix update.

Changes/fixes:

• Fixed a browser crash in the new code introduced in 33.8.1 around <object> restrictions.
• Fixed a regression in the styling of the address bar drop-down making links unreadable when highlighted.

Pale Moon 33.8.1 (2025-08-26)

This is a bugfix and security release.

Changes/fixes:

• Pale Moon no longer accepts nameless cookies. See implementation notes.
• Improved the "copy as curl" command in devtools further, partially rolling back the changes in previous versions since we aren't offering cross-platform commands and it caused potential issues with overzealous escaping.
• Fixed a potential use-after-free scenario in the CSS parser.
• Fixed uninitialized use of fontconfig scenarios for Linux/GTK.
• Adjusted CSP URI reporting to more closely match the current spec and common browser behavior.
• Fixed a potential crash in font handling.
• Adjusted the size of WASM compiled table size limits to match V8/Gecko.
• Increased restrictions on the types of data loads <object> elements are allowed to trigger, to match the fetch spec more closely.
• Fixed build issues for PPC architectures.
• Security issues addressed: CVE-2025-8031, CVE-2025-8028 (), CVE-2025-8037 (and related), CVE-2025-8029, and several others that do not have a CVE number.

Implementation notes:

From this version forward we no longer accept nameless cookies. If a cookie has no name and starts with an equal sign, it is outright rejected. If a cookie consists only of a string with no equal sign, it is interpreted as a valueless cookie with the name set to the string. This departs from our inherited Mozilla behavior where this was previously treated as a nameless cookie with the string as the value. RFC 6265 forbids cookies without an equal sign (§5.2 step 2), but browsers accept them anyway for web compatibility reasons (poor web design). Moreover, §5.2 step 5 explicitly forbids nameless cookies.

Valueless names also make more sense in web context: Set-cookie: itself supports secure and httponly as valueless attributes, and HTML supports valueless attributes as well. Our new behavior therefore makes more logical sense, is closer to the spec and general principles, aligns with webkit/Safari and solves a whole class of potential sec bugs like CVE-2025-8037. Apologies if this causes web compat issues, but it's the sane thing to do when encountering non-compliant cookies.