Pale Moon 28.9.0 (64-bit)

What's new in this version:

New features:
- Implemented asynchronous iterators (await iterator.next() and for await loops) (ES2018)
- Implemented promise-based media playback
- Implemented non-standard legacy CSSStyleSheet rules functions
- Implemented the html5 <dialog> element. To switch this on, flip dom.dialog_element.enabled to true.
- Implemented the optional hiding of pinned tabs in CtrlTab/AllTab panes. (controlled through the preferences browser.ctrlTab.hidePinnedTabs and browser.allTabs.hidePinnedTabs)
- Added 1.25x playback speed to html media elements
- Added a hidden pref (browser.places.smartBookmarks.max) to control the sizes of default smart bookmarks categories

Changes/fixes:
- Aligned document.open() with the overhauled specification
- Aligned the way DOM styles are computed with mainstream browser behavior
- Removed the (unused) DOM promise implementation
- Enabled seeking to next frame in media files
- Enabled dynamic UA updates for emergency use
- Implemented rule processing stub for font-variation-settings
- Increased the maximum XML nesting depth to 2048 levels for extreme corner cases and to conservatively align with other browsers
- Improved the privacy of geolocation lookup calls, with thanks to a generous service donation from ip-api.com
- Improved reporting of the operating system in site-specific user-agent overrides
- Improved table drawing performance again after the rewrite for sticky positioning making it slower
- Updated CSP processing to allow custom scheme wildcards to be specified without a port
- Aligned the behavior of outlines with other browsers when dealing with CSS-repositioned elements
- Changed the way hardware acceleration is controlled from the application
- Changed the default monospace font for main languages from Courier New to Consolas
- This provides a more balanced font for fixed-width text that is slightly more condensed and more in line with the naturally compacter variable-width fonts used everywhere else
- Changed the browser's behavior when restoring tabs from previous sessions. To prevent stale pages, it will now by default perform a "soft refresh" of the page instead of drawing it purely from cache without checking if the page needs updating. If you prefer the old behavior, set browser.sessionstore.cache_behavior to 0 in about:config
- Updated NSPR to 4.24 and NSS to ~3.48.1-RTM, removing the previous custom patch level with NSS being able to support custom rounds for DBM now
- For extensive release notes with all NSS changes, see NSS_Releases
- Implemented an NSS performance optimization for Master Password use with limited effect
- Fixed some potential crashing scenarios with WebGL on Linux
- Completely removed showModalDialog
- Disabled some logging in production builds
- Removed various gadgeteering/redundant/dead DOM APIs (casting/presentation, FlyWeb)
- Removed support for a number of critical libraries being system-supplied
- Removed "Copy raw data" button from the troubleshooting information page, since it's never used by us in that format, and users mistakenly keep using it instead of copying text
- Removed a bunch of Android and iOS support code
- Fixed an issue with form elements sometimes being incorrectly disabled
- Fixed several crashes
- Fixed an issue with Captive Portal detection sometimes firing even when disabled by the user
- Performed various tree-wide code cleanups
- Backed out a large code cleanup patch for causing subtle issues in website operation (e.g. WordPress). This will have to be revisited later; the reintroduced code is not in use in practice
- Cleaned up the application updater code

Security-related fixes:
- Fixed a potential pointer issue in cubeb. DiD
- Disabled allowing remote jar: URIs by default for security reasons. If you need this functionality for your non-standard environment, you can enable it with the preference network.jar.block-remote-files, but please consider moving away from this method of providing web-based applications.
- Removed a potentially dangerous and otherwise ineffective optimization from the JavaScript engine.
- Fixed unwanted behavior where created/focused pop-up windows could potentially cover the DOM fullscreen notification, hiding it from users. (CVE-2020-6810)
- Fixed an issue where copying data as a curl request from developer tools would not properly escape parameters. (CVE-2020-6811)
- Updated our sctp library code with several upstream fixes
- Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 3 already mitigated, 1 rejected, 11 not applicable