Patch Notes for B2B Commerce for Visualforce Summer ’19 (Version 4.11)

Added the ability to filter the static resources that the ccrz.cc_util_UserInterface API utility class queries. This query includes static resources that contain your storefront's product images, theme files, and so on. This enhancement works around limits in your org if you've installed multiple managed packages, and allows you to specify the static resource namespaces that you want to query.

UPGRADE IMPACT: To implement this filter in your org, create metadata for a new configuration in the User Interface module that uses the API name nsList. Then, in your storefront settings, set the value of this configuration to a comma-separated list of the namespaces that you want to query. Avoid spaces between comma values, and be sure to include the default ccrz namespace in the list. For example, enter ccrz,other-namespace where other-namespace is a custom namespace that you want to include. For more information, see Create Metadata for the Namespace List Configuration Added in a Patch in the B2B Commerce for Visualforce Release Notes and Upgrade Guide.

Fixed an issue where the Checkout page returned an Apex error that prevented checkout flow from completing successfully. This issue occurred when both of the following conditions were satisfied:

• The Address Owned by User configuration of the Checkout module (co.uown) was TRUE.
• A customer service representative (CSR) was logged in to the storefront using CSR flow and selected an effective account.

UPGRADE IMPACT: After you upgrade the managed package, update the Checkout module's Address Owned by User configuration to apply to all pages instead of only the Checkout page (co). Then, build and activate a new configuration cache.

Fixed an issue where the sharing rules for the following custom objects potentially exposed personal identifiable information (PII) in carts, orders, and addresses:

• CC Cart
• CC Contact Address
• CC Order

These sharing rules were previously required for a storefront that allows a guest buyer to create a cart and check out. This fix removes the dependency on the specific sharing rules. Guest user carts and checkout continue to behave correctly without these rules.

UPGRADE IMPACT: After you install the patch, to remove the affected sharing rules and update sharing attributes in the default order confirmation email template, complete the steps in Remove Sharing Rules for Carts, Orders, and Addresses in the B2B Commerce for Visualforce Release Notes and Upgrade Guide.

Enabled the Secure attribute for the following cookies:

• apex__cc_anonymous_Country
• apex__cc_anonymous_Currency
• apex__cclgtkn
• apex__currCartId
• apex__effacc

This attribute ensures that the managed package sends cookie data securely through an encrypted request over HTTPS protocol. For more information, see:

• (Mozilla Developers) Using HTTP cookies
• (Open Web Application Security Project) Secure Cookie Flag

Fixed an issue where duplicate internationalized spec values appeared on the Product Compare page. This issue occurred when both of the following conditions were true:

• At least two CC Spec records had the same Name (such as Color), but different Locales (such as en_US and ja_JP).
• A product had a spec value assigned for each spec.

Fixed an issue where a buyer wasn't able to log in to the storefront. This issue occurred in an org that's resolved the security alerts for preventing unauthorized guest user access to their storefront data. If the user configured as the Default Record Owner owned multiple active carts that were abandoned, the heap size filled up. As a result, no registered users could log in.

UPGRADE IMPACT: This fix updates the ccrz.ccLogicUserLogin.determineStartURL() logic provider method in the following ways:

• The call to ccrz.ccApiUser.fetch() specifies ccrz.ccService.QUERYLIMIT => 1 and ccrz.ccService.WODAO => True.
• The call to ccrz.ccApiCart.fetch() specifies ccrz.ccService.QUERYLIMIT => 1.

Updated the default ccrz.cc_hk_UserInterface extension point class to distribute the latest stable, secure versions of jQuery (3.5.1) and jQuery Migrate (3.3.0).

UPGRADE IMPACT: This upgrade also introduces a breaking change where non-void HTML elements that use self-closing tags, such as <div/>, no longer render. This HTML compatibility change affects the default Handlebars templates included in the managed package, and can affect front-end extensions or customizations that you've already developed. For more details about the jQuery upgrade and the impact on the HTML used in your storefront, see the Salesforce Knowledge article, Upgrade to jQuery 3.5.1 in B2B Commerce for Visualforce Spring ’20 (Version 4.12) or Earlier.

Fixed an issue where an error occurred when showing shipping options during checkout. This issue occurred after the following sequence of events:

1. A buyer first selected a shipping option during checkout.
2. The buyer exited checkout flow, returned to their cart, and changed the cart's contents in such a way that the selected shipping option became invalid.
3. Finally, the buyer returned to the checkout flow.

This fix removes the invalid shipping option from the CC Cart record when proceeding through checkout again.

Fixed potential security vulnerabilities in some extension point classes.

UPGRADE IMPACT: This fix deprecates the ccrz.cc_hk_EffectiveAccount.fetchAccountData() method.

Fixed an issue where the Checkout page didn't reliably load the account's default shipping or billing address. Previously, B2B Commerce for Visualforce allowed multiple shipping or billing account address book records to have the Default field set. This fix enforces a limit of one shipping and one billing account address book entry per account.

UPGRADE IMPACT: Edit the account address book record that you want to use for the default selected during checkout, and enable its Default field. B2B Commerce for Visualforce uses whichever record where Default was most recently enabled as the default address during checkout.

Fixed an issue where the CC Admin tab didn't load for a user whose admin profile didn't have Create access on the E_Foo__c object.

As a result of this change, a user with the admin profile can’t download files from CC Admin | Global Settings | Settings Loader.

Fixed an issue where the Reorder widget didn't show the correct recent order history for a selected effective account. This issue occurred when:

1. The Filter Effective Account configuration of the My Account module was TRUE.
2. The buyer placed an order from one child account.
3. Then, the buyer selected a different effective child account.

The Reorder widget incorrectly showed all orders from the parent-child account hierarchy, instead of just the selected child account's orders.

Fixed an issue where a buyer wasn't able to add an aggregated product to a cart. This issue occurred if you previously installed B2B Commerce for Visualforce Summer ’19 (version 4.11) patch 3.145.13 or 3.145.12.

UPGRADE IMPACT: If you previously installed B2B Commerce for Visualforce Summer ’19 (version 4.9) patch 3.145.13 or 3.145.12, upgrade to this patch.

Fixed an issue in the Effective Account selector for an account name that contained a symbol (such as &). The account name rendered with the symbol’s HTML code (such as &) instead of the symbol itself.

UPGRADE IMPACT: This fix updates the default EffAcctSel-Widget-View-Desktop Handlebars template. If you've previously overridden this default template, reimplement your customizations based on the fixed version of the default template. This step ensures that custom code in your solution receives the benefit of the fix.

Replaced hard-coded text strings with the following localizable page labels:

• LLI_CheckOut_Of in the Move Item window in LLI checkout
• PaginatorOf on the Shipping step of LLI checkout
• LLICheckout_SummaryWidget on the Shipping and Order Confirmation steps of LLI checkout
• catalogSearchInc_QuickSearch in the Feature Filtering widget on the Product List page

Fixed several issues that ensure that guest users can continue to self-register and create carts after you complete the required security alerts for guest security.

UPGRADE IMPACT: Complete the following steps:

1. Install patch 3.145.9 to upgrade the managed package. Be sure to update the available global data in the Data Loader page of CC Admin after you install the patch.
2. Complete the steps in Resolve Guest User Security Alerts to Keep Your Storefronts Secure by Default in the B2B Commerce for Visualforce Release Notes and Upgrade Guide. These steps describe how to manually resolve each security alert.

Fixed several issues that enhance the security of B2B Commerce for Visualforce custom objects against unauthorized access. These fixes don’t require any action after you upgrade.

This patch removes a requirement to have the View All Users permission enabled on your storefront’s guest user profile. This permission was previously required to work around a Digital Experiences security fix. This change ensures that you’re providing the least privilege to guest users to help keep your storefront data secure, while still supporting self-registration.

UPGRADE IMPACT: If you previously enabled the View All Users permission, update your guest user profile to disable the View All Users permission.

Fixed an issue where a product with a start date that’s valid for the current date didn’t appear on the storefront. This issue occurred because the product index included only price list items whose date ranges were valid for the time that the index was built. For example, a product with a start date of September 1 didn’t appear on the storefront on September 1, because the product index was built on August 15. With this fix, a price list item with a future Start Date is now included the next time you build a new product index.

If you start including future-dated products, the size of the index and time required to build it both increase.