Pale Moon 27.9.2 security update released

Martin Brinkmann
May 19, 2018
Internet, Pale Moon

Pale Moon 27.9.2 is the latest version of the web browser; it was released yesterday to the public and is already available via the web browser's automatic update functionality.

The new version of Pale Moon fixes several security issues in previous versions of the web browser and improves stability as well.

Existing Pale Moon users may select Pale Moon > Help > About Pale Moon to display the installed version of the browser. A click on the "check for updates" button checks for a new version which may be downloaded and installed automatically when found.

Users may download Pale Moon from the official website as well if they prefer that.

Pale Moon 27.9.2

pale moon 27.9.2

The security fixes matches patches that Mozilla released for Firefox ESR 52.8 and Firefox 60. Some security patches are not integrated because they might fix issues that Pale Moon is not affected by; this is the case for features that are not part of Pale Moon.

Pale Moon shares code with the Firefox web browser, and it is usually the case that the Pale Moon team releases security updates for the browser shortly after Mozilla releases a new Firefox release with security updates.

Pale Moon 27.9.2 addresses the following security issues:

  • (CVE-2018-5174) Moderate Prevent potential SmartScreen bypass on Windows 10. Affects Firefox on Windows 10 April 2018 Update machines only. Pale Moon (and Firefox) associated a flag with downloaded files that bypassed SmartScreen verification.
  • (CVE-2018-5173) Moderate Fixed an issue in the Downloads panel improperly rendering some Unicode characters, allowing for the file name to be spoofed. This could be used to obscure the file extension of potentially executable files from user view in the panel.
  • (CVE-2018-5177) Moderate Fixed a vulnerability in the XSLT component leading to a buffer overflow and crash if it occurs.
  • (CVE-2018-5159) High Fixed an integer overflow vulnerability in the Skia library resulting in possible out-of-bounds writes which could lead to a crash and potential exploit by web content.
  • (CVE-2018-5154) High Fixed a use-after-free vulnerability while enumerating attributes during SVG animations with clip paths that may result in a crash and exploit of the crash.
  • (CVE-2018-5178) Moderate Fixed a buffer overflow during UTF8 to Unicode string conversion within JavaScript with extremely large amounts of data. This vulnerability requires the use of a malicious or vulnerable extension in order to occur.

Open the listings on Mozilla's Security site for additional information.

Pale Moon 27.9.2 includes two additional improvements. The new version addressed several stability issues and memory safety hazards, and comes with changed language strings for softblocked items.

Related articles

Pale Moon 27.9.2 security update released
Article Name
Pale Moon 27.9.2 security update released
Pale Moon 27.9.2 is the latest version of the web browser; it was released yesterday to the public and is already available via the web browser's automatic update functionality. 
Ghacks Technology News

Tutorials & Tips

Previous Post: «
Next Post: «


  1. Jody Thornton said on June 25, 2018 at 5:54 pm

    I have been using Roytam1’s modification of Pale Moon v28 (called New Moon) on my old Vista machine. Now there is no longer a need for for LAV codecs. Twitter and YouTube work out of the box. And it renders faster and better than v27 by a mile.

    Almost as fast as Quantum. Hmmmm the finished product might offer Quantum some competition.

  2. Anonymous said on June 22, 2018 at 6:41 pm

    To be honest, while Moonchild can be a bit of a jerk, Facebook issues aren’t really his fault. Facebook is a terribly designed platform with all sorts of issues, and they probably only ever test in Chrome.

  3. Jody Thornton said on June 20, 2018 at 7:49 am

    This is one of the things that I can definitely tire of using Pale Moon – constant Facebook issues. Now Facebook reactions don’t work.

    When a small developer says “Your Browser – Your Way”, you just want it to work. Yes it’s perfectly OK to read that tagline and develop expectations as to what that product will be able to do.

    So right now, Waterfox or Quantum are looking like better options. Even whenever this issue is resolved, another pain in the ass is just around the corner.

    1. Jody Thornton said on June 20, 2018 at 9:54 am

      Just an update. The new 28 pre-release version works well enough for getting around this issue for now. Hopefully, this won’t be just a temporary fix.

  4. aGuywhoDidntDie said on June 10, 2018 at 4:47 pm

    Bless The Generous Pale Moon dev’s. Thank you. Doing eCommerce, love the security updates, this one was painless. just run the

    Instead of getting mad and blaming and pointing fingers, build the new world you want and the old world will become irrelivant.

    Calm your minds, make peace, the damage is already been done, greiving and anger are over, it’s planning and taking action time now, no more tears, no more blame..

  5. Krixus said on June 8, 2018 at 1:34 pm

    It is always interesting to see people hate features and customization. And why?

    – Customization is bloat
    – Customization is outdated
    – Customization is insecure

    All like mindless drones repeating even more mindless propaganda spread by Mozilla which repeats the original propaganda spread by the Chrome dev-team.

    It’s like having a bunch of parrots who try some kind of squeaking contest.

    Compared to the arrogant anti-power-user attitude of Mozilla which are today 100% Anti-geek and anti-nerds, everything for which the Pale Moon devs can be blamed is unimportant in a direct comparison.

    Actually there is only one more disgusting developer like Mozilla is one. And that is Opera. As both are without spine and honor.

    1. Jody Thornton said on June 20, 2018 at 7:53 am


      None of your customization tripe matters a damn when basic functions like Facebook Reactions just STOP working. And you may say, “Well Pale Moonies don’t care about Facebook”, well perhaps so, but your browser’s creator says, “Your Browser, Your Way”, so it should work! Period!

  6. Tree said on May 21, 2018 at 4:39 am

    I was annoyed because I really hate pop-ups disturbing browsing and Pale Mood popped one up about NoScript. Killed it, but what a pain! The reason given is that NoScript interfered with what some websites do. I not want these websites to open up videos on their own or loud music or other lousy things like Facebook bugs to track me. It is great to block doubleclick, googleanalytics, googletagservices, questionmarket,, etc. Is Pale Moon serving or are they serving me? Pale Moon used to put the user in charge and that’s what made it so great.

  7. Justin Juarez said on May 20, 2018 at 5:03 pm

    I too was censored for offering an opinion of NoScript. Coming from being a Firefox refugee, I like PaleMoon but I also place a higher respect for freedom of speech. It resulted in a new search for a new browser.

    1. Jody Thornton said on June 8, 2018 at 2:16 pm

      I get a bit annoyed when posts here on Ghacks are censored because they exude anti-Pale Moon sentiment. But yet it’s OK that a particular fruitcake over on the Pale Moon forum can say crap like this?

      ” ….. Who with a sane mind would use a mimicry variant of another browser – if the original (Google Chrome) is also available :D

      Hope Mozilla enjoys all their (non existing) Chrome users who have switched in (non existing) masses over to Firefox :D
      ….. ”

      Now there’s nothing “offensive” about it, but that particular idiot takes every chance to stir the pot and rile up Firefox fans. However, when we say anything about the Pale Moon team, these same guys cry foul.

      @Justin, I respect your view towards free speech. It’s sad because I like Pale Moon as a product, but the team is quite toxic. Everything is fine as long as you agree (and hate Firefox), but watch out if you have a differing opinion.

      1. Farid Le Fleur said on June 9, 2018 at 1:32 pm

        @Jody Thornton as you have quoted as it seems one guy from the Pale Moon board and i have been digging a bit around and have found it too, here something of very interest… and which is hitting the nail on it’s very head:


        “If you have issues with individuals, face them directly instead of mocking them in the public. Also a very special – questionable – behavior some certain Firefox users have today. Which i call nothing other than pure cowardice. No guts to discuss with the people here, no guts to discuss with the Pale Moon developers themselves!

        There is IRC available, there is the board available. One just needs to dig out enough courage and stop hiding behind the typical safe space excuses. How is it called.. Only the ones who know they are guilty fear the light”

        All i have to say in consideration how you and other people act – and then reading something like that:
        Evidence collection closed, case closed.

      2. Jody Thornton said on June 9, 2018 at 5:34 pm


        Thanks for trying to make me a coward, but I was banned from that forum. I only started venting against that team afterwards. Now I did stand up for some others while on that forum (and perhaps in a less-savoury way.) But I will make my voice heard.

        Think of it like someone who campaigns or markets an idea. Repetition is key. So I have no problem drawing attention to that forum’s toxicity. I’m not hurting or obsessed in any way – just dedicated to pointing out bad online decorum.

      3. Farid Le Fleur said on June 8, 2018 at 5:12 pm

        @Jody Thornton

        It seems to be an obsession of yours to read the sources of your “enemy” – and instead of challenging people over there – bad-mouthing them in here.

        Also.. idiot is quite hard word – and does not put the best light on your personality. No offense meant, i just comment on what is visible from your very own comment. That is hardly a crime to call facts – facts.

        May i remind you that there is also a difference if you comment over people who have not a real clue of marketing/presenting themselves to the public – and making that way unintentionally mistake after mistake, even if they may be right in their points they present, but doing that too aggressive…


        If you comment about a developer who is doing the things they do on cold calculated purpose – every single thing they do.

        It is not the Pale Moon team only who are the bad guys. Actually they try to do things right in their own opinion, but they always flow way beyond the goal because of their own enthusiasm – which ends with others seeing them as some kind of radicals.

        Mozilla did the things they do not in well intention – they did that in pure calculation, that if you want to gain the raw sand (general users) you have to remove the rocks (power users) first. Mozilla is the party which is doing much more questionable things. They do that not because they do not know it any better, they do it on purpose.

        And that is a thing people like you and others constantly ignore to take into account.

      4. Farid Le Fleur said on June 8, 2018 at 4:43 pm

        @Jody Thornton To whoever you are referring in your quotation above… That person actually is right.

        1) If people would enjoy ” a mimicry variant of another browser”

        If people actually WOULD do that – Firefox would have a much more higher market share than right now, because all the changes Mozilla has done to Firefox is to persuade users of a certain other browser over to Firefox.

        Question: Where are that kind of users? Do you see them listed somewhere? Are they counted in market share numbers already? I do not think so Jody.

        2) (non existing) Chrome users who have switched in (non existing) masses

        I ask you again Jody: Where are that users which have switched listed? Has Firefox gained or lost users? Are all the changes Mozilla has done to Firefox enough to make users of the competing product switch in raw massive numbers or not?

        I see no issue with the statement of that person. At least not when looking on the available evidence.

        Also, it is Mozilla’s fault that comments like that are posted. Because it was Mozilla who ignored their own target user group. And it was Mozilla who basically said “eat it or go away and eat elsewhere” – If you complain about such a comment, then you should also take into account that Mozilla caused it in the first place that such comments are actually possible at all.

        And actually it WAS Mozilla who was not willing to give their own target users the respect they deserved, it WAS Mozilla who gave their own add-on and theme developers not the respect they deserved.

        If you want to blame someone for this, blame Mozilla. Because with a bit more intelligence and appreciation for their own users who have been using Firefox for such a long time and suddenly are threatened with losing all their toys – all that negativity never would have arrived.

        The only one who is responsible for all of this, is Mozilla. So, that comment is actually 100% justified in my opinion.

        Facts don’t lie!

    2. Krixus said on June 8, 2018 at 11:32 am

      @Justin Juarez

      Waterfox will become soon also a non-customizable cheap Chrome imitation like Firefox is already.

      What you can use=

      Otter with QTWebkit

      1. Jody Thornton said on June 8, 2018 at 2:19 pm


        SeaMonkey is also headed for the Quantum changes. The next milestone will be based on ESR 60, just like Waterfox.

    3. Matt said on May 20, 2018 at 8:40 pm

      Give Waterfox a try.

    4. @Justin Juarez said on May 20, 2018 at 8:08 pm

      Try Waterfox, it’s a much better browser than Pale Moon.

  8. Nili said on May 20, 2018 at 9:06 am

    Thanks for the update!

    Thanks Moonchild for updating my Linux Browser Pale Moon.

  9. Mike said on May 20, 2018 at 4:00 am

    Not a good situation for the guy who hosts the extension site has to be banned from the support forum (if that’s real) when the XUL platform is soon to be the basis for the new PM. XUL is mostly about extensions, even though it is a bit more than that.

    I’m skipping all the 27.9 updates and waiting for 28.0. But if something isn’t worked out about a good host site for extensions, I would eventually give up on PM. And Waterfox isn’t a good long term alternative either because he’s going to follow Mozilla’s path.

    1. New Tobin Paradigm said on May 21, 2018 at 3:22 pm

      Hi, I am taking a break from the Pale Moon forums until early the end of the summer.

      The ban is quite real but it was at my own request and will have to expire.

      Basically, I have too much to deal with than to get into often pointless arguments with some of the forum users that seem to clash with.

      This eliminates a huge distraction for me so that I can focus my attention fully on Project Phoebus since my required tasks on the Unified XUL Platform have been mostly completed.

      I have decided that Phoebus needs an almost total rewrite in order to accomidate the next generation features I had set in basic form here

      This includes expanding the software to accomodate multiple applications on a unifed backend site.

      The other project which is seperate from the Pale Moon and assocated projects is the Phoenix Extensions Archive.

      This will take a lot of work to setup and is relient mostly on the Phoebus technology I am developing. With a very recent store of over 24.7 thousand Firefox extensions plus a complete dump from 2014 aquired from the now defunct Mozilla FTP Server I will be able to construct the most complete archive of Firefox extensions on the face of this planet. But I must stress that this archive is not related to the Pale Moon project but a personal one of mine so it won’t be connected to the Pale Moon Add-ons Site.

      Hope that answers some questions.

      1. Iron Heart said on May 21, 2018 at 5:51 pm

        @New Tobin Paradigm

        Mr. Tobin, in all honesty I don’t believe it would be a good idea for you to ever return to the forum. Hear me out! You are by no means incompetent, I think everyone here – even adversaries of Pale Moon – acknowledge that. I know that you were heavily involved in porting the classic Firefox interface to a newer Gecko base, which is not a trivial task by any means. Your occasional technical write-up is usually detailed and worth reading, even enjoyable. BUT, and I wrote this in capital letters because it is a huge “but” to reckon with, giving support is not your strength by any stretch of human imagination. Again, this doesn’t mean that your answers are factually wrong or show a lack of technical competence, but this is solely due to the fact that they are most often written in a snideful, condescending, insulting tone which tends to drive people away from the forum. This is the reason why the Pale Moon forum is developing a certain reputation here and elsewhere.
        Banning people won’t help it, especially when they are banned for disagreement only. The world is a harsh place and disagreement is something we have to deal with on numerous occasions, again and again. Banning people for voicing a different opinion is both mean and damaging when it comes to your reputation. The tone in the Pale Moon forum needs to vastly improve if it is to be acknowledged as a professional support forum again. The level of technical competence paired with the omnipresent arrogant attitude, with the latter reversing all positive gains of the former, is rather sad to look at as it stands.
        This is my fatherly advise to you: Stay away from the forum indefinitely, and concentrate on what you are best at: Developing software! Otherwise your attitude will continue to harm the project’s image, and the project won’t be going anywhere as a result.
        I hope you take my words for what they are, a suggestion that could prove the best solution for everyone involved, and which will ultimately work in favor of the project as a whole.

      2. New Tobin Paradigm said on May 22, 2018 at 12:23 am

        You might be right but let’s what happens after three months. In the meantime, I am still on our IRC Channel on freenode.

      3. Jody Thornton said on May 21, 2018 at 7:05 pm

        @Iron Heart:

        Very very well written. You described the situation perfectly. And I will even go on record as saying that I would never question Tobin’s abilities. I’d likely be envious of them. My issues not only with Tobin but also Moonchild had to completely do with interactivity with others.

        Your response was concise and accurate.

  10. John Bayley said on May 20, 2018 at 2:52 am

    I don’t get the attitudes of some of the people in here. It seems to be full of Palemoon haters, for some reason.

    Look, the thing (PM) is free. Nobody forces you to use it.

    The developers there have repeatedly stated that their aim is not to be a straight out clone of FF minus some telemetry (like Waterfox has chosen to do). As part of this ‘vision’ (for want of a better term), they’ve made it clear they will not support webextensions, multiprocessing and so on.

    Marcus (Moonchild) has gone into quite some trouble to explain where he wants to go with the project, if you bother the read the ‘Information’ tab on the main site.

    The NoScript thread, that some of you mention above, is a case in point. Clearly the extension causes more problems in PM than it solves, so the developers have included a warning now regarding that, BUT even so, anyone is still free to use the extension. Unticking a box is surely less demanding than having the average user delve into ‘about:config’ or editing a userChrome.css.

    Contrast this with Mozilla, who first enforced signing of extensions, on rather flimsy pretext and despite objections from many developers on their own forums, and then chose to throw the whole extension system, which was the one thing that made the browser worth using, under the bus in order to follow the likes of Opera and become more Chrome-like.

    Perhaps some of what you people here perceive as a ‘negative’ attitude toward Ghacks posters (Jody Thornton) is well deserved, because there is usually much more scorn and negativity here about the PM project than the opposite. Many comments here also tend to be less than informed and regurgitate the same issues over and over again.

    Whether PM will be able to continue using the extensions some of you like obviously cannot be guaranteed, but then again, tons of extensions went the way of the dodo, with either no replacement, or with a severely impaired one due to the inherent limitations of the webextension ecosystem, and yet most of you here seem to have adapted somehow.

    I use PM on both my Linux (home) and Win7 (work) machines as the main and only browser (apart from the in-built IE on the Windows box). I have no problems with it and it does everything I want.

    If you want to talk about ‘arrogance’, you need look no further than the Mozilla forums.

    As I said, if you hate PM so much, don’t use it.

  11. Anonymous said on May 19, 2018 at 10:35 pm

    uMatrix 1.1.4 sorry for the typo

  12. Anonymous said on May 19, 2018 at 9:44 pm

    I was banned too for saying the truth on their forum. I still continue to use pale Moon because it is always my prefered browser so far, no matter. Unfortunately there will always be haters as above.

    1. Jody Thornton said on May 20, 2018 at 6:16 am


      I use their browser still as well, but doesn’t getting banned for being straight up not bother you at least a little bit? I wouldn’t call these people “haters”. They just dislike poor conduct and public discourse. That’s all.

      Any way, I’m going to be a good boy this time ’round. I’ll keep my thoughts to myself, as I’ve said what I’ve needed to.

  13. Anonymous said on May 19, 2018 at 9:33 pm

    Just updated Pale Moon. All is working great, using uBlock legacy and uMatrix 1.16.4. About NoScript I removed it long time ago at the first update > an add-on for the release notes redirecting to a malware page blocked by most antiviruses, what a shame. I really wonder why SOME people have lost their nerves about the truth said by Moonchild.

  14. Quanmoon said on May 19, 2018 at 9:01 pm

    I hope and wish very much the Palemoon team could develop their own version based on the more efficient Firefox Quantum technology, that would be something!

  15. Gerard said on May 19, 2018 at 6:54 pm

    I’ve been a Pale Moon user for a long time, but it now looks like the Pale Moon developers are on the wrong track or betted on the wrong horse, whichever you prefer. For instance, recent versions of NoScript, uBlock Origin and uMatrix are incompatible with Pale Moon. And that’s very bad.

    1. Krixus said on June 8, 2018 at 11:28 am

      Pale Moon does not support webextensions. Because Moonchild is not interested in adopting Google tech inside their mainline product.

      While Mozilla has become a total Google-junkie.

      This requires add-ons like the ones you mention being forked. When no one is doing that, they are not available. That’s the way it is.

  16. Maverick said on May 19, 2018 at 5:13 pm

    Although a rare user, I am stuck at PM 26.5 only. Some of my favorite add-ons fail to work beyond that release. Unfortunately, FF and Cyberfox also do not support them.

  17. RottenScoundrel said on May 19, 2018 at 4:58 pm

    Gotta say, too little, too late. Well for this household anyway. Waterfox and Firefox only now. The Palemoon folk need to consider a more professional approach if they want to be a player in the browser wars.

    I have been a Palemoon believer pretty much ever since they started, but the past five to ten months their approach to all things seems to be in the express-lane of gurgler-bound.

    I finally changed everything over at version 28.4 or thereabouts. And, given the nonsense constantly being played out on their forum pages, I will not be looking back. The condescending “while we do or job” sums it all up for me.

    1. Jody Thornton said on May 19, 2018 at 6:21 pm


      I’m glad to see more people voicing their opinion about the poor behaviour on the Pale Moon forum.

      No one is denying people choice of what they want in a browser. If you like to customize, by all means used Pale Moon. I was indeed a big supporter of the browser, but when I see the staff and core users of Pale Moon become so mean-spirited not only to users asking questions, but also towards us posting here on Ghacks, then that behaviour needs to be called out. I’m glad there are other voices now doing so, besides just me.

  18. asdf said on May 19, 2018 at 10:35 am

    The changelog reads:

    “We changed the language strings for softblocked items so people will cry less when we do our job.”

    The developers of this browser are just a bunch of *.

    1. Weilan said on May 19, 2018 at 10:45 pm

      I don’t even know what they are all about – they are working on outdated forks of FireFox, trying to keep them both outdated and still patched at the same time, their website compatibility is also laughable and on top of this they are arrogant asshats… That project is such a waste of time.

      1. Krixus said on June 8, 2018 at 11:26 am


        Not everyone wants cheap men’s Google Chrome called Firefox. Geeks and nerds prefer most of the time options, features and choice.

        And Firefox offers almost nothing of that anymore. Now they offer simplicity, minimalism and Mozilla dictates what is right for the community – in their own arrogant opinion.

        So, if there is actually an asshat company around.. it is Mozilla. Because their constant hate and spitting on geeks and nerds. Just saying… Firefox market share is continue to shrink.

        Firefox is a sell-out product like Opera has become. Even a not fully FOSS company like Vivaldi can be taken more seriously than Mozilla. That also applies fully to Pale Moon. And every other browser which opens imagination instead of lame conformity.

    2. crambie said on May 19, 2018 at 8:08 pm

      The worst one I’ve seen was the github exchange over the openbsd build. Someone trying to help and all they got was abuse and threats. I’ve moved to Waterfox too but might swap to Brave once the 1.0 builds come out depending on the extension situation.

    3. P said on May 19, 2018 at 4:26 pm

      Actually that’s quite funny.

      1. @P said on May 19, 2018 at 8:55 pm

        The gods of humor have smiled down upon you, rejoice! I wish I was that easily amused… :(

    4. RichardT said on May 19, 2018 at 12:28 pm

      Agreed, got fed up with their arrogant antics and have now switched to Waterfox.

      1. Jody Thornton said on May 19, 2018 at 4:55 pm

        I notice that this arrogance you speak of has reared it’s ugly head with the NoScript thing. That thread is a mess. You would seem to think that with Tobin being banned from the forum, things might have settled a bit, but I guess not.

        I’ve been using New Moon for now because MPEG codec work on my old Vista station. That’s a cool project to check out. Even Roytam’s Basilisk ports run on XP and Vista (x64 builds included). I’m not a big proponent of continued online use of XP, but these are nice developments if you happen to use Vista.

  19. Iron Heart said on May 19, 2018 at 9:34 am

    Waterfox 56.2 has been released, too. Just saying.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.