roytam1

add SSUAO then. general.useragent.override.twitter.com = "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" (without quotation marks, add new string in about:config using the name before equal mark)

yea I knew it is buggy due to Classila's javascript changes. I may just build a plain phoenix 0.5 with TLS 1.2 later. Classila's js has these problems as observed: - __lookupGetter__ seems to be broken - removeTab exists in tabbrowser.xml but it still complain removeTab is not a function

it should but not tested

for fun, nostalgia, and investigation, tried to replace NSS to retrozilla-tff_sha384 version in old classila-based phoenix browser. of course it still some fixes to give user smooth experience, may review the code if there is time. repo: https://github.com/roytam1/classilla/commits/tls12-exp download (for fun!): http://o.rths.ml/gpc/files1.rt/phoenix-0.5-cl933-tls12.7z

yea, session support is broken after sync, and it is not working in upstream

you may need to exchange their position instead.

sure. http://o.rths.ml/gpc/files1.rt/tcpmp-mod6-win95.zip

not every profile / b-ref frame counts are supported, but baseline profile works.

you need to patch out IsDebuggerPresent to GetErrorMode in binaries(*.plg;*.dll;*.exe). binpatch: http://o.rths.ml/gpc/files1.rt/binpatch.zip for example: binpatch 4973446562756767657250726573656E74 4765744572726F724D6F64650000000000 common.dll

New regular/weekly KM-Goanna release: https://o.rths.ml/kmeleon/KM76.2-Goanna-20200118.7z Changelog: Out-of-tree changes: * update Goanna3 to git fa517dfc6..3c4a44c16: - import changes from rmottola/Arctic-Fox: - Goanna->Gecko: GoannaMediaPluginService & GoannaTouchDispatcher (1e10799bf) - Goanna->Gecko: GoannaProcess (dd671240a) - Goanna->Gecko: goannamediaplugin (2a9423ba6) - Goanna->Gecko: GoannaContentController (62e7c2f5f) - Goanna->Gecko: GoannaProfiler & GoannaTaskTracer (376c45a3c) (3e6694dfa) - import changes from rmottola/Arctic-Fox: - remove mobile-android (cf8ef1e27) - remove also android examples (94f68c0e5) - remove android mozglue (d0114f339) (ec05a9b22) - import change from rmottola/Arctic-Fox: - Bug 1160098 - XULElement::LoadSrc() should check whether we successfully created a new frameLoader before trying to call SetIsPrerendered() on it r=smaug (ca804e43) (7733293ea) - align changes from rmottola/Arctic-Fox (rev e67e868c) to our tree Part 1: osx devtools theme (17f5e5203) - align changes from rmottola/Arctic-Fox (rev e67e868c) to our tree Part 2: mozbuild changes (60cea5c35) - align changes from rmottola/Arctic-Fox (rev e67e868c) to our tree Part 3: misc fixes including: - Bug 1218882 - lz4.js should be usable outside of workers, r=Yoric. (360bb783) - Bug 1046245 - enumerateDevices (harmless interface version) r=smaug, r=jesup (ce475127) - Bug 1046245 - enumerateDevices returns label for pages w/active gUM or persistent permissions. r=jesup (ec780fb6) - Bug 1110973 - Add a preference for enabling fake streams for tests, and use it in the Loop functional tests. r=smaug (580092e3) - Bug 1046245 - enumerateDevices session-persisted hmac id. r=jesup (7d4eb087) (5f6df85cb) - align changes from rmottola/Arctic-Fox (rev e67e868c) to our tree Part 4: front-end fixes (6785ff1ad) - Merge pull request #2 from roytam1/af-sync-works (7bfdfdf34) - import changes from `devel' branch of rmottola/Arctic-Fox: - Bug 1132874 - Improve protections against sending a parent plugin protocol shutdown message to the child after the child has torn down. r=aklotz (b80b45fa7) - Bug 1103036 - Follow-up to initial patch; r=jchen (51337c2dc) - Bug 1132874 - Simplify PPluginWidget protocol handling, and avoid sending async messages from the parent. Addresses a problem with sub protocols that are torn down randomly from either side of the connection. r=aklotz (3ad936e84) - Bug 1128214 - Avoid a crash when attempting to render windows titlebar specific theme elements with e10s. r=roc (b6f17da09) - Bug 1139368 - Set FilterTypeSet dependency in improveThisTypesForCall. r=h4writer (422de7271) - Bug 864041 - Remove Firefox 2+3 compat code from about:sessionrestore. r=mak (4cfc6fe9a) - Bug 1009599 - Restoring from about:sessionrestore fails when there is more than one tab in the window r=smacleod (88ca1cfbc) - Bug 1146052 - Fix empty about:sessionrestore after crash as well as empty about:welcomeback after resetting the profile r=smacleod (211b50396) - Bug 1043797: extended popup notifications to create a generic doorhanger for all security notifications incl. mixed content r=adw (f7c2d5ded) - Bug 900845 - We aren't using the NetUtil module in SessionStore.jsm. (3f5ddd133) - Bug 898755 - Remove _resume_session_once_on_shutdown code from SessionStore; r=yoric (eb159fec9) - Bug 902727 - [Session Restore] Remove legacy _writeFileEncoder; r=smacleod (8e375c529) - space cleanup (cbd71ce91) - Bug 968923 - part 1 - add infrastructure for defining use counters from UseCounters.conf; original-author=heycam; r=heycam,gfritzsche,mshal (d0dea9997) - Bug 968923 - part 2 - change MappedAttrParser to store a nsSVGElement directly, instead of its nsIPrincipal; r=smaug (4eff86d7f) - Merge branch 'devel' of https://github.com/rmottola/Arctic-Fox into devel (feb4378e6) (3c4a44c16) * Notice: the changelog above may not always applicable to XULRunner code which K-Meleon uses. A goanna3 source tree that has kmeleon adaption patch applied is available here: https://github.com/roytam1/palemoon27/tree/kmeleon76

New NewMoon 27 Build! 32bit https://o.rths.ml/palemoon/palemoon-27.9.7.win32-git-20200118-3c4a44c16-xpmod.7z 32bit SSE https://o.rths.ml/palemoon/palemoon-27.9.7.win32-git-20200118-3c4a44c16-xpmod-sse.7z 32bit noSSE https://o.rths.ml/palemoon/palemoon-27.9.7.win32-git-20200118-3c4a44c16-xpmod-ia32.7z 64bit https://o.rths.ml/palemoon/palemoon-27.9.7.win64-git-20200118-3c4a44c16-xpmod.7z source repo: https://github.com/roytam1/palemoon27 repo changes since my last build: - import changes from rmottola/Arctic-Fox: - Goanna->Gecko: GoannaMediaPluginService & GoannaTouchDispatcher (1e10799bf) - Goanna->Gecko: GoannaProcess (dd671240a) - Goanna->Gecko: goannamediaplugin (2a9423ba6) - Goanna->Gecko: GoannaContentController (62e7c2f5f) - Goanna->Gecko: GoannaProfiler & GoannaTaskTracer (376c45a3c) (3e6694dfa) - import changes from rmottola/Arctic-Fox: - remove mobile-android (cf8ef1e27) - remove also android examples (94f68c0e5) - remove android mozglue (d0114f339) (ec05a9b22) - import change from rmottola/Arctic-Fox: - Bug 1160098 - XULElement::LoadSrc() should check whether we successfully created a new frameLoader before trying to call SetIsPrerendered() on it r=smaug (ca804e43) (7733293ea) - align changes from rmottola/Arctic-Fox (rev e67e868c) to our tree Part 1: osx devtools theme (17f5e5203) - align changes from rmottola/Arctic-Fox (rev e67e868c) to our tree Part 2: mozbuild changes (60cea5c35) - align changes from rmottola/Arctic-Fox (rev e67e868c) to our tree Part 3: misc fixes including: - Bug 1218882 - lz4.js should be usable outside of workers, r=Yoric. (360bb783) - Bug 1046245 - enumerateDevices (harmless interface version) r=smaug, r=jesup (ce475127) - Bug 1046245 - enumerateDevices returns label for pages w/active gUM or persistent permissions. r=jesup (ec780fb6) - Bug 1110973 - Add a preference for enabling fake streams for tests, and use it in the Loop functional tests. r=smaug (580092e3) - Bug 1046245 - enumerateDevices session-persisted hmac id. r=jesup (7d4eb087) (5f6df85cb) - align changes from rmottola/Arctic-Fox (rev e67e868c) to our tree Part 4: front-end fixes (6785ff1ad) - Merge pull request #2 from roytam1/af-sync-works (7bfdfdf34) - import changes from `devel' branch of rmottola/Arctic-Fox: - Bug 1132874 - Improve protections against sending a parent plugin protocol shutdown message to the child after the child has torn down. r=aklotz (b80b45fa7) - Bug 1103036 - Follow-up to initial patch; r=jchen (51337c2dc) - Bug 1132874 - Simplify PPluginWidget protocol handling, and avoid sending async messages from the parent. Addresses a problem with sub protocols that are torn down randomly from either side of the connection. r=aklotz (3ad936e84) - Bug 1128214 - Avoid a crash when attempting to render windows titlebar specific theme elements with e10s. r=roc (b6f17da09) - Bug 1139368 - Set FilterTypeSet dependency in improveThisTypesForCall. r=h4writer (422de7271) - Bug 864041 - Remove Firefox 2+3 compat code from about:sessionrestore. r=mak (4cfc6fe9a) - Bug 1009599 - Restoring from about:sessionrestore fails when there is more than one tab in the window r=smacleod (88ca1cfbc) - Bug 1146052 - Fix empty about:sessionrestore after crash as well as empty about:welcomeback after resetting the profile r=smacleod (211b50396) - Bug 1043797: extended popup notifications to create a generic doorhanger for all security notifications incl. mixed content r=adw (f7c2d5ded) - Bug 900845 - We aren't using the NetUtil module in SessionStore.jsm. (3f5ddd133) - Bug 898755 - Remove _resume_session_once_on_shutdown code from SessionStore; r=yoric (eb159fec9) - Bug 902727 - [Session Restore] Remove legacy _writeFileEncoder; r=smacleod (8e375c529) - space cleanup (cbd71ce91) - Bug 968923 - part 1 - add infrastructure for defining use counters from UseCounters.conf; original-author=heycam; r=heycam,gfritzsche,mshal (d0dea9997) - Bug 968923 - part 2 - change MappedAttrParser to store a nsSVGElement directly, instead of its nsIPrincipal; r=smaug (4eff86d7f) - Merge branch 'devel' of https://github.com/rmottola/Arctic-Fox into devel (feb4378e6) (3c4a44c16)

New build of BOC/UXP for XP! Test binary: MailNews Win32 https://o.rths.ml/boc-uxp/mailnews.win32-20200118-b01bff6b-uxp-e4c4c20e7-xpmod.7z Browser-only Suite Win32 https://o.rths.ml/boc-uxp/bnavigator.win32-20200118-b01bff6b-uxp-e4c4c20e7-xpmod.7z source patch (excluding UXP): https://o.rths.ml/boc-uxp/boc-uxp-src-xpmod-20191123.7z Official repo changes since my last build: - Add the ability to get an msbuild from an arbitrary date to version2k (e9238f7f) - Update commit pointer (b01bff6b) For UXP changes please see above.

New build of Serpent/UXP for XP! Test binary: Win32 https://o.rths.ml/basilisk/basilisk52-g4.5.win32-git-20200118-fd382bb-uxp-e4c4c20e7-xpmod.7z Win64 https://o.rths.ml/basilisk/basilisk52-g4.5.win64-git-20200118-fd382bb-uxp-e4c4c20e7-xpmod.7z source code that is comparable to my current working tree is available here: https://github.com/roytam1/UXP/commits/custom IA32 Win32 https://o.rths.ml/basilisk/basilisk52-g4.5.win32-git-20200118-fd382bb-uxp-e4c4c20e7-xpmod-ia32.7z source code that is comparable to my current working tree is available here: https://github.com/roytam1/UXP/commits/ia32 NM28XP build: Win32 https://o.rths.ml/palemoon/palemoon-28.9.0a1.win32-git-20200118-ee58ea2dc-uxp-e4c4c20e7-xpmod.7z Win64 https://o.rths.ml/palemoon/palemoon-28.9.0a1.win64-git-20200118-ee58ea2dc-uxp-e4c4c20e7-xpmod.7z Official UXP changes since my last build: - Prefer file extension as-provided over default extension for mimetype to look up default applications on Windows (06dbb7b7d) - Simplify some alias sets in IonMonkey. (60dc9eaa9) - Reinstate the java->c++ source, generator code + documentation. (aa2ac8dde) - Issue #1338: Follow-up: Cache the most recent PBKDF2 password hash, to speed up repeated SDR operations. (3733205f0) - Fix comments for NSS PBKDF setup (no code change) (217dca872) - Issue #1319 - Remove stderr_to_file. (6d342dbab) - Issue #1319 - Disable MOZ_LOGGING in production builds. (4a038e2b4) - Issue #1319 - Enable promise debugging only in DEBUG builds. (0257b657d) - No issue - Don't define gamepad prefs when gamepad support isn't built. (abf6fd8f2) - No issue - Remove unused network.http.bypass-cachelock-threshold pref. (1392abe1d) - Issue #1353 - Disable remote jar: URIs by default. (cbbae7243) - Issue #1319 - Set some obvious prefs for production builds. (da7423057) - No issue - Remove some unused webextension sync preferences. (8d65feff0) - Issue #1332 - Enable seeking to next frame by default. (82804d200) - Update gitignore for import of java html5 codegen and parser sources (09314667a) - Add java htmlparser sources that match the original 52-level state (6168dbe21) - Add the java javaparser (03fb2e229) - Update the java codegen makefile for having the two libs in-tree and change a few target names so they aren't obnoxious (2ac58ecef) - Bug 1322938 - Make the tree builder aware of <dialog>. (6f27b4eb3) - Bug 1555523 (java htmlparser version) (984790c6f) - Bug 1347737 - Introduce a new non-heap-allocated type for holding nsStringBuffer* in the HTML parser. (java htmlparser) (ee1d95374) - Bug 1562033 (3da18fda0) - Issue #1354 - Cherry-pick ANGLE update for broken drivers that support required indexing but not the extensions. (058105eec) - Issue #1354 - Don't allow glsl[130,400] unless we have gpu_shader5 (7007ec9e4) - No issue - Fix some line endings in WebGLShaderValidator.cpp (fa816e1ec) - Fix an issue with the html5 tokenizer and tree builder (java htmlparser) (e93b37337) - Update java htmlparser copyright on code to be translated to cpp (72779c9dd) - Remove obsolete javasrc snapshot (9dbbc6c08) - Update gitignore to no longer track snapshot javasrc for the html5 parser (c050c611d) - Update the html5 parser java codegen makefile to clean up snapshot javasrc (635baac21) - Regenerate nsHtml5*.cpp files from java htmlparser sources (927c386dd) - Merge branch 'html5-parser-work' (ed6010155) - Update readme instructions for how to use the java html5 parser codegen makefile (e4c4c20e7) Official Pale-Moon changes since my last build: - Issue #1706 - Improve copying from the location bar, stop encoding parentheses explicitly (76665a263) - remove bad feature identifier (9d4bc7575) - Revert "remove bad feature identifier" (dc0057ac8) - Revert "Block Noveau NV96 mesa driver layers acceleration." (b4a605368) - Update platform commit pointer (unstable 2020-01-14) (1cfc1870b) - Merge pull request #1707 from JustOff/PR_location_copy (ee58ea2dc) There are no new Official Basilisk changes since my last build. My changes since my last build: - reverted "No issue - Remove some unused webextension sync preferences. (8d65feff0)"

new ArcticFox win32 test build is uploaded: http://o.rths.ml/gpc/files1.rt/arcticfox-27.9.19.win32-20200118.7z - add missing function of Bug 833943, part 3: implement migrator changes (afe3784b9) - revert default of showQuitWarning because it exposes a bug which corrupts the profile or session storage (654629d67) - add missing function of Bug 833943, part 3: implement migrator changes (a01cfc753) - Merge pull request #53 from rmottola/master (270a63dc0) - Update win32 arctic fox icon from grey to blue (9b7ec8bbf) - Merge pull request #22 from wicknix/master-good (108c07611) - Bug 887167 - Undo global-scope pollution from browser-plugins.js. r=jaws (cc0fd90fb) - Bug 916276 - Remove dead click-to-play code. r=gfritzsche (fd96f08c9) - Bug 959061 - Have only one "Chinese, Simplified" item in the Character Encoding menu. r=Unfocused. (f484c2f82) - Merge remote-tracking branch 'upstream/master' into fix-winbuild (aa8adc078) - Bug 956657 Share more charset menu code between the view source window and the browser r=Unfocused (b681e424e) - remove duplicate and obsolete CharsetMenu.jsm (30644c91b) - also remove CharsetMenu.jsm from browser/modules/moz.build (d986fc2ff) - Merge remote-tracking branch 'upstream/devel' into fix-winbuild (b8fc75f58) - Update win32 arctic fox icon from grey to blue (6727e1e24) - Goanna->Gecko: GoannaMediaPluginService & GoannaTouchDispatcher (1e10799bf) - Goanna->Gecko: GoannaProcess (dd671240a) - Goanna->Gecko: goannamediaplugin (2a9423ba6) - Goanna->Gecko: GoannaContentController (62e7c2f5f) - Goanna->Gecko: GoannaProfiler & GoannaTaskTracer (376c45a3c) - remove mobile-android (cf8ef1e27) - remove also android examples (94f68c0e5) - remove android mozglue (d0114f339) - Bug 927174 - Add a "More Info..." link to the plugin click-to-activate panel which links to SUMO, r=jaws (3b2bd0364) - Bug 853694 - Cannot send crash reports for click-to-play plugins. r=jaws (424fee753) - Fixup for bug 927174 - use the preexisting app.support.baseURL pref instead of a custom one (c256b1dda) - remove specific Pale Moon plugin show preference (f35b3dcfe) - Bug 926605 part A - When a plugin is removed from a page, continue showing it in the plugin doorhanger, to deal with the cases where the site removes a plugin immediately after trying to use it, r=jaws (f94ba6aa1) - Bug 926605 part B - automatically refresh the page if the users chooses to enable a plugin but its no longer on the page, r=jaws (afbe91c00) - Bug 745187 - Don't introduce a delay notifying the frontend about new plugins added to the document, because script may immediately remove them from the page. To fix the delayed layout of XBL, introduce a separate method to calculate the notification icon visibility, r=jaws (f926e6691) - Bug 934503 - Activated hidden plugins should not show the hidden plugin notification icon, r=jaws (eda3e525a) - Bug 943383 - Fix state not being remembered in click-to-play doorhanger. r=jaws (7c0c650ab) - Bug 919493 - browser-plugins.js should call openUILinkIn rather than openURL. r=gavin (acdbd1f5b) - Bug 920927 - Fix plugin overlay handling. r=neil (408049b33) - Bug 853973 - If a plugin is overlayed by other content on the page, then treat it as a hidden plugin: hide the overlay and present the infobar for click-to-play or crashed plugins, r=jaws (c6e05e285) - Bug 745187 part B - If a plugin is already activated, don't refresh the page. (45c25b4c4) - Bug 932786 - CTP doorhanger does not update to show the new plugin state after the user clicks allow or block; update pluginInfo.fallbackType with the new state in gPluginHandler._updatePluginPermission, r=keeler (173877a4c) - Bug 933935 - Strip parentheticals when making nice plugin names, r=dolske (ca864bfda) - Bug 932854 - when a site uses a hidden plugin, show a notification bar to aid discoverability. This patch, suitable for trunk and branch, uses existing strings which are not ideal. r=jaws (960afd793) - Bug 932854 - trunk-only patch to use new strings for the buttons, r=jaws (cb7298542) - Bug 932832 - click-to-play not discoverable for Google Hangouts video plugin because it is positioned at -40000,-40000. Check for positioning and treat this as a hidden plugin, r=jaws (58fcb3630) - Bug 957922 - aBrowser is null in _setPluginNotificationIcon. r=jaws (b4e9d608b) - Bug 896418 - Improve naming for CtP popupNotification centerActions. r=jaws (83ccc1249) - Bug 968762 - Plugin overlays are not displayed if plugin element is not fully in scroll view. r=jaws (d6d9dd6a6) - Bug 921730 - "The plugin is disabled" placeholder cannot be closed. r=jaws (69fafe078) - Bug 977543 - CTP overlay is not displayed for iframes/embedded videos. r=jaws (248147557) - Bug 981237 - Remove DataContainerEvent dependency from Plugin crash handler. r=jst,johns (6f8f2bcd2) - Bug 914753: Make Emacs file variable header lines correct, or at least consistent. DONTBUILD r=ehsan (24bf47cf5) - missing part of Bug 914609 Consistently use plugin placeholder anonymous element anonids r=jaws (38e6a8544) - Bug 1009760 - Support displaying of crash notification for GMP plugins. r=gfritzsche (fb3107e97) - Bug 1043531 - Let frontend deal properly with PluginCrashed without a browser dump id. r=ttaubert (5a22dce15) - Bug 1045500 - Skip processing the plugin name for plugin crashes in the front-end for GMP plugins. r=ttaubert (c8b06b515) - Bug 899347 - [e10s] Make click-to-play work with e10s. Originally written by mbrubeck. r=gfritzsche,felipe,Unfocused. (1a6c3fc20) - add parts of Bug 839206 - Replace plugin installation notification bar with door hanger -- silences some errors even if it doesn't work (270faecf2) - Merge remote-tracking branch 'upstream/devel' into fix-winbuild (756326bf2) - Bug 1161928 - Add assertions to ensure tab restoration methods are used correctly r=billm (ee15e5aa2) - Bug 1143720 - Remove support for old FormData, PageStyle, and ScrollPosition formats r=smacleod (45b034524) - Like in FF and TFF, remove browser.sessionstore.max_concurrent_tabs (e28c650d5) - Bug 1142542 - Use AppConstants in browser/modules (r=gavin) (80d7cc617) - Bug 942374 - Enable session restore for electrolysis (r=ttaubert) (47dbafef9) - Bug 1160098 - XULElement::LoadSrc() should check whether we successfully created a new frameLoader before trying to call SetIsPrerendered() on it r=smaug (ca804e437) - Bug 873556 - Add a timestamp to closedWindows and closedTabs. r=ttaubert (c90c85d09) - update (7066e48b1) - Merge remote-tracking branch 'upstream/devel' into fix-winbuild (3938630f3) - Bug 1132874 - Improve protections against sending a parent plugin protocol shutdown message to the child after the child has torn down. r=aklotz (b80b45fa7) - Bug 1103036 - Follow-up to initial patch; r=jchen (51337c2dc) - Bug 1132874 - Simplify PPluginWidget protocol handling, and avoid sending async messages from the parent. Addresses a problem with sub protocols that are torn down randomly from either side of the connection. r=aklotz (3ad936e84) - Bug 1128214 - Avoid a crash when attempting to render windows titlebar specific theme elements with e10s. r=roc (b6f17da09) - Bug 1139368 - Set FilterTypeSet dependency in improveThisTypesForCall. r=h4writer (422de7271) - update (c47679472) - Bug 864041 - Remove Firefox 2+3 compat code from about:sessionrestore. r=mak (4cfc6fe9a) - Bug 1009599 - Restoring from about:sessionrestore fails when there is more than one tab in the window r=smacleod (88ca1cfbc) - Bug 1146052 - Fix empty about:sessionrestore after crash as well as empty about:welcomeback after resetting the profile r=smacleod (211b50396) - Bug 1043797: extended popup notifications to create a generic doorhanger for all security notifications incl. mixed content r=adw (f7c2d5ded) - Bug 900845 - We aren't using the NetUtil module in SessionStore.jsm. (3f5ddd133) - Bug 898755 - Remove _resume_session_once_on_shutdown code from SessionStore; r=yoric (eb159fec9) - Bug 902727 - [Session Restore] Remove legacy _writeFileEncoder; r=smacleod (8e375c529) - space cleanup (cbd71ce91) - delete patch file (9b9215a31) - Bug 968923 - part 1 - add infrastructure for defining use counters from UseCounters.conf; original-author=heycam; r=heycam,gfritzsche,mshal (d0dea9997) - Bug 968923 - part 2 - change MappedAttrParser to store a nsSVGElement directly, instead of its nsIPrincipal; r=smaug (4eff86d7f) - more stuff to do (d5b1b1df5) - Merge branch 'devel' of https://github.com/rmottola/Arctic-Fox into devel (feb4378e6) - Merge remote-tracking branch 'upstream/devel' into fix-winbuild (1907417c1)

I've been wondering the same thing. My first thought was that the vulnerability probably affects versions based on FF 49, when the JS engine was rewritten, or later; if so, then FF 45, NM 27, ArcticFox, etc. wouldn't be vulnerable. But as you say, the javascript.options.ion pref does exist in those older browser versions, so I'm not all that confident about that assessment. it is proved unvulnerable, at least on ppc. http://tenfourfox.blogspot.com/2020/01/tenfourfox-not-vulnerable-to-cve-2019.html and nm27 repo had a big front-end merging with arcticfox devel branch, tested with my preliminary browsing test and hope everything works.

I collected it in the past

you may try this

old good TCPMP for Windows may work as well, it even work on NT 3.51.

it was reported in upstream: https://forum.palemoon.org/viewtopic.php?f=3&t=23566

at the posting time, I can't access google translate.

can't read russian, same discussion available in PM forum as well. https://forum.palemoon.org/viewtopic.php?f=66&t=23615

no, it can be anything you received from remote, for example, HTML, CSS, images, videos, audios, etc.

it should be possible to overwrite new build with files from pm26xp-no-manifest.7z without issue. but anyway it is updated.

and yeah moonchild did same fix in their tree. https://github.com/MoonchildProductions/UXP/commit/60dc9eaa95b96abbe881063b62304a58eadd6b8e

fixed