6.48 Cobrowse and Website - May 29, 2025

Website

Added checks for more XSS exploits in file uploads to Account Management.
Cobrowse now captures the anchor portion of a URL in agent viewer and Report a Problem submissions.
Resolved non-functional errors on pages where unsafe-inline was previously removed.
Resolved a “Group ID required” error that was blocking SAML authentication in Salesforce.
Resolved an issue in the Customizations Tool where buttons on the Production tab were incorrectly active.
Reimplemented page scroll position retention after a postback on AccountCobrowse.
Resolved information disclosure issue with the following changes:
- The “agentInfo” WebSocket message is only sent if “Send agent info to visitor” is enabled.
- The agent first name will only appear next to gestures if the group has opted in to send agent information to the visitor’s browser.
- For the rcevent visitor-side event:
  - When “Send agent info to visitor” is enabled, the payload includes username and puid.
  - When “Send agent info to visitor” is disabled, the payload does not include username and puid.
Removed unsafe-inline from \account\AccountCobrowse.aspx.
Resolved a stored XSS vulnerability via SVG file upload in Account Management.
Resolved XSS vulnerability in group names on admin settings pages.
Resolved an open redirect vulnerability in Check.asp.

Resolved an issue where the guest name display on gestures was incorrectly linked to the “Send agent info to visitor” setting.
Enhanced the clarity of the agent’s view during Mobile SDK sessions.
Resolved an accessibility issue preventing JAWS screen reader from properly interacting with the Show Terms modal.
Cobrowse now supports line breaks in visitor-side text.