Fixed CVE-2018-5129: Out-of-bounds write with malformed IPC messages.
Fixed CVE-2018-5130: Mismatched RTP payload type can trigger memory corruption.
Fixed CVE-2018-5131: Fetch API improperly returns cached copies of no-store/no-cache resources.
Fixed CVE-2018-5144: Integer overflow during Unicode conversion.
Fixed CVE-2018-5125: Memory safety bugs.
Fixed CVE-2018-5145: Memory safety bugs.
Fixed CVE-2018-5137: Path traversal on chrome:// URLs.
After this release, the current Basilisk will be in maintenance mode as we work on a re-forked UXP.
Restored source-editor commands for scratchpad and style editor menus.
Removed a bunch of Rust cruft.
Moved a number of flow decisions from run-time to build-time to slim the browser down.
Removed redundant Vista checks.
Removed unused crash reporter conditional code.
Enabled blocking of top-level data: URI navigations by default. If you need this functionality as a developer, flip security.data_uri.block_toplevel_data_uri_navigations. Note that this does not block manually entered data: URIs, only navigation to it from the browser.
Added the status line (response) to raw header display.
Removed b2g code.
WebExtensions: Content Script sandboxes will now have their sandboxName set.
Added an option to remove all session cookies for a specific domain.
Added a number of devtools improvements.
Fixed a number of crashes and instabilities in the browser.
Fixed border and caret widths for natural rounding.
Mitigated Meltdown/Spectre hazards.
Removed b2g code.
Fixed issues with ID-less web extensions and incorrect warnings in the add-on manager.
Removed unused internal extensions and components.
Fixed source editor controller commands.
Fixed X-Frame-Options sameorigin check to check all ancestors.
Fixed "sticky" menu colors in special accessibility ("high contrast") system themes.
Fixed security issues: CVE-2018-5099, CVE-2018-5093, CVE-2018-5113, CVE-2018-5095, CVE-2018-5098, CVE-2018-5111, CVE-2018-5109, CVE-2018-5122, CVE-2018-5091, CVE-2018-5097, CVE-2018-5102, CVE-2018-5104, and multiple potentially exploitable crashes and vulnerabilities that do not have a CVE assigned to them.
Fixed potential registry name collisions on Windows for file types and protocols.
Renamed Options to Preferences (Windows) and moved Preferences to the Tools menu (Linux).
Switched off automatic form filling of login credentials and added a preference to control this.
Completely removed the "Mozilla Settings Service" and "Blocklist service" client.
Fixed a margin issue for the navigation bar.
Adjusted the performance-timing resolution to prevent timing-based hardware-specific attacks ("Meltdown"/"Spectre").
Limited the number of shared Array Buffers for normal JS code to prevent allocation issues.
Disabled shared JS memory for the time being to make doubly-sure it can't be abused while "Spectre" is investigated further.
Fixed several compatibility issues with WebExtensions.
Disabled Mozilla's "system add-ons" service, which would allow Mozilla to remotely install add-ons.
Disabled Mozilla's "system settings" service, which would allow Mozilla to remotely change settings or block add-ons.
Updated SQLite lib to 3.21.0.
Added an option to block top-level data: URIs.
Removed referrers when opening links in new private windows.
Updated license and rights pages.
Changed the Feedback link to point to the forum instead of Mozilla.
Fixed an issue with exportFunction().
Fixed/enabled the use of Firefox Sync (Firefox Accounts).
Restored the toolkit Error Console for application troubleshooting.
Added '-jsconsole' and '-browserconsole' command-line arguments for launching of either console on startup.
Removed what was left of the underused Social API.
Changed the way element border rounding is done in Goanna to have natural rounding up/down of fractional sizes (IEEE 754).
Fixed a potential leak involving IndexedDB and private browsing mode.
Fixed a crash in ANGLE.
Linux-only update to fix a release channel/update problem.
Fixed add-on/GMP update calls to Mozilla services.
Enabled accessibility features.
Enabled parental Controls features (Windows only).
Changed blocklist hosting to self-hosted.
Removed leveraging the blocklist for CRL purposes.
Included the Universal Runtime Libraries with the browser.
No longer enforcing the "preferred" cipher suite profile on Http/2.
Added support for the worker-src CSP directive.
Fixed freetype glyph metrics in Skia (fixes Freetype 2.8.1+ issues).
Fixed an issue with ContentSecurityManager not passing the correct context.
Fixed a number of issues with Contenteditable elements.
Fixed a number of issues with pointer events.
Implemented "cookie-averse document objects" to mitigate cookie injection.
Fixed an issue with SVG text-based image masks.
Fixed the installer checking for Firefox instead of Basilisk.
Enabled the use of 64-bit plug-ins other than Flash and Silverlight.
Made the SVG texture cache more lenient to large-resolution SVG images.
Fixed several crashes and memory safety hazards.
Fixed several security bugs: CVE-2017-7837, CVE-2017-7832, CVE-2017-7830, CVE-2017-7835, CVE-2017-7831, CVE-2017-7838, CVE-2017-7839, CVE-2017-7828, CVE-2017-7840, and several others from Firefox 57 that do not have a CVE designation.