Release 11.46

What's New

Senders

• Can create conditional logic on optional signatures: It is now possible to create conditional logic rules based on optional signatures. Specifically, when a sender creates a transaction, they can specify certain rules to be triggered when a signer signs an optional signature.

• Can set new rules for Checkbox Groups: Senders can now configure the following validation rules for a Checkbox Group: (1) At least (enforces a minimum number of boxes to be checked for the group); (2) At most (enforces a maximum number of boxes to be checked for the group); (3) Exactly (enforces an exact number of boxes to be checked for the group); (4) Range (enforces a minimum and maximum number of boxes to be checked for the group).

• Can download Evidence Summary & documents together: Senders can now download a transaction’s documents and its Evidence Summary together in a zipped file. Formerly, they had to download the Evidence Summary and documents separately.

• Can download Evidence Summary for incomplete transactions: Enabled the Evidence Summary to be downloaded from the sender part of the User Experience, even if the associated transaction is not completed. Note: This feature must be enabled per account, and is OFF by default. To activate it, please contact our Support Team.

• Better handling of large download files: Formerly, senders couldn’t receive an email with a completed transaction’s documents and/or Evidence Summary if the associated attachment was larger than 10 MB. If the attachment exceeds 10 MB, the sender now receives an email with a download link that will direct them to the relevant Transaction Details page. There, they can download the transaction’s documents and Evidence Summary in the usual way.

• Senders are warned of visibility issues: When a sender chooses a primary Branding color or an Alert color that has a low contrast ratio, the following warning message now appears: This color might cause visibility issues.

Signer Experience

• Can apply QES with Swisscom: Qualified electronic signatures (QES) can now be applied via Swisscom within the jurisdictions of eIDAS and ZertES. This integration with Swisscom: (1) on-boards new signers quickly and easily; (2) improves the User Experience when documents are signed with QES. Limitation: This feature is not yet available in all supported languages.

Developers

• SDK can add signature images: The SDK can now be used to add Image files as signatures in documents.

• Enabled new rules for Checkbox Groups: New validation rules for Checkbox Groups are described in the What's New > Senders section above. To successfully implement these rules, we needed an RHF library (react-hook-form.com). This in turn required us to change the syntax of our Field IDs. Field IDs are now “sanitized” by replacing all special characters with alphanumeric characters. Please take this into account if you are testing OneSpan Sign’s User Experience through an automated UI test framework such as Selenium (www.selenium.dev).

Virtual Room

• Host can extend a session indefinitely: The host can now extend a Virtual Room session any number of times. Before this release, a Virtual Room session could be extended only once.

• Host can close a session: The host can now close a Virtual Room session via an option in the More actions menu.

• Signers can review documents before a session: Signers can now review the documents associated with a Virtual Room transaction before a Virtual Room signing session. Specifically, signers can click a new Review button in the Virtual Room’s waiting room. Clicking it takes a signer to the documents, which can be reviewed but not yet signed. Once the host starts the Virtual Room session, the signers are admitted to the session, and documents can then be signed.

• Notifications sent when videos are downloadable: Added an API Event notification that is sent when a Virtual Room video recording is ready for download.

• Better mobile experience: We improved the mobile experience of Virtual Room sessions. Note: This is a work-in-progress that future releases will continue to improve.

Evidence Summary

• Can store a signer's geolocation: Enabled the system to gather a signer’s geolocation from their browser information, and store that geolocation in the Evidence Summary document. Note: (1) signers can configure their browser to block it from providing their geolocation; (2) this feature is enabled via a setting in OneSpan Sign BackOffice.

eOriginal

• Notification sent if an eDeposit fails: Customers are now notified if an attempt to eDeposit their documents in an eOriginal vault has failed.

• Cannot download authoritative copies: Users are now prevented from downloading authoritative copies of documents that will be deposited in eOriginal vaults. If they try to do so, they will end up downloading non-authoritative copies that are watermarked and flattened.

Bug Fixes

Signer Experience

• PB-80810: Fixed a Signer Experience issue in which Firefox 96 prevented signers from signing.

• PB-80838: Fixed the following issue. If radio buttons were added as required fields, a bug affected the Required Actions counter in the upper-right corner of the Signer Experience. In particular, selecting a radio button failed to increment the "completed actions" counter of the Required Actions widget (i.e., the "x" in "Required Actions x of y").

• PB-79623: Fixed an issue in which the system presented the Capture Signature dialog box to a signer multiple times, thus enabling them to apply different signatures in the same document. Instead, the system should have applied the signature it first captured to all the signer's Signature Boxes.

• PB-80806: Fixed an issue in which the system truncated the image of a captured signature if the signature had been captured on a mobile device; and the image was retrieved via an API call.

• PB-78788: Fixed an issue in which the user was getting a blank screen on their mobile device when they tried to access a transaction that required their Mobile Signature.

• PB-80811: Fixed an issue in which Signature Fields appeared in wrong places when documents were previewed in the Web UI via the "eye" icon.

• PB-82274: Fixed the following issue. When a signer had multiple Capture Signature fields in a document of an e-Notary transaction, an error occurred in the following situation. If the signer drew their signature in one of those Capture Signature fields, and then uploaded a signature image using the "Capture Signature from file" option, the system failed to place the drawn signature in all the signer’s Capture Signature fields.

Senders

• PB-78448: Fixed an issue in which a shared template could not be seen by anyone except the sender who created it.

• PB-76293: Fixed the following issue. After a sender deleted all transactions on the second page of listed transactions, they saw no transactions. Instead, the sender should still have seen the transactions on the first page.

• PB-80510: Fixed an issue that sometimes triggered an error when a conditional logic rule was being created for a transaction in which the Transaction Owner was also a signer.

• PB-78452: Fixed an issue that arose when the system imported fields from an accessible transaction’s PDF. The problem was that the names of fields in a drop-down list in the sender part of the User Experience had been changed from the fields' original names in the PDF.

• PB-78481: Fixed an issue in which special characters (e.g., apostrophes, double quotes) were rendered with a "Z0" prefix in the Field Import drop-down list when accessible transactions were being created.

• PB-78893: Fixed an issue in which the system failed to send email reminders that had been configured in a transaction template.

• PB-78169: Fixed an issue in which reminder emails were sent after a transaction was complete, but optional signatures had not been signed.

User Experience

• PB-78245: Fixed an issue in which the More actions menu was disabled for transactions, but subsequently appeared on user-authentication pages.

• PB-78166: Fixed incorrect Japanese translations of text in the product's Terms and Conditions.

• PB-78052: Fixed an issue in which the system presented a 403 error to a delegated user when they tried to view a delegated transaction.

Account Owners & Admins

• PB-79434: Fixed an issue that prevented groups from being created when sub-accounts were enabled.

• PB-61105: Fixed an issue in which the system threw an error when a user tried to create a group in a sub-account.

• PB-60392: Fixed an issue in which a sub-account user could not be deleted.

• PB-77955: Fixed an issue in which a 401 error appeared if a user requested an API token for a sender whose email address had the same suffix as the email address of another sender in the same account.

Developers

• PB-80323: Fixed the following issue. When a developer injected text fields in a PDF document, the JSON payload specified a font size for the injected fields. The problem was that the system failed to apply the specified font size to those fields.

Evidence Summary

• PB-79270: Fixed an issue in which the Evidence Summary failed to record a user’s remote signing of an in-person transaction.

Data Retention

• PB-79004: Fixed an issue in which transactions sometimes failed to expire on their configured expiry dates.

Accessibilty

• PB-75886: Fixed an accessibility issue in which Screen Readers read a banner about cookies every time they focused on a Close button or an OK, I agree button.

eOriginal

• PB-79122, PB-78928: Fixed an issue in which our Digital Mortgage or Digital Lending workflow failed to trigger the eDeposit of documents in an eOriginal vault.

Vulnerabilities

• PB-61589: Mitigated a vulnerability in which OneSpan Sign session cookies were set with a redundant "secure;" attribute.

• PB-72042: Mitigated a vulnerability in which multiple Oracle patches were missing. We applied the latest Oracle patches to the affected areas.

• PB-79609: Mitigated the CVE-2021-42575 vulnerability by upgrading the OWASP Java HTML Sanitizer library to version 20211018.2.

• PB-80502: Mitigated log4j vulnerabilities by upgrading each affected library to version 2.17.1 of the Log4j Core library.

• PB-79017: To remove vulnerabilities, we: (1) upgraded the libraries velocity-1.7.jar and jstl-1.2.jar; (2) removed the library plexus-utils-1.5.6.jar from the OneSpan Sign Application Backend.

Performance Improvements

• PB-75685: Improved the Signer Experience’s performance by disabling image rendering. Image rendering has not been needed since we deprecated the Classic Signer Experience.

• PB-79926: Improved the Signer Experience’s performance by improving Front End algorithms.

• PB-75902: Improved the User Experience's performance by implementing document-caching techniques.

Changed Behavior

• PB-79665: Changed the system’s Data Retention behavior so transactions are deleted the day after the date on which their retention is due to end.

• PB-77813: We modified the behavior of groups of radio buttons. Now if a radio button from a group is marked as required, the entire group is marked as required. These requirements are nonetheless satisfied when a single button from the group is selected.

• PB-78887: Changed the Evidence Summary's encoded hash for a Virtual Room video recording from a base-64-encoded hash to a plain-text MD5 hash. The latter is easier to decrypt.

• PB-78682: To ensure compliance with ADA standards (WCAG 2.1), we now warn senders when their chosen primary Branding color or Alert color has a low contrast ratio. Such warnings also enable senders to prevent the disappearance of UI components due to a color conflict (e.g., white alerts on a white background).

• MAIN-6598: When a signer session expires, in certain environments the signer used to be redirected to OneSpan Sign’s Login page. Now, in all environments the signer is redirected to an error page that states their session has expired.

Known Issues

• PB-84003: An issue arises in the following circumstances: (1) Senders A and B are members of the same sub-account; (2) Senders A and B are each other’s delegates; (3) Sender A creates a template in the sub-account. When Sender B is subsequently in the sub-account, and is acting as a delegate for Sender A, they should be able to see the new template. However, they can’t. A workaround is for Sender B to re-select the sub-account from the Accounts menu. They can then see the new template.

• PB-74520: Suppose an API user creates a transaction, and specifies the value '0' for the maxLength parameter on Text Fields. If a signer subsequently enters any amount of text into a Text Field, it will trigger the following error: The field's value is too long. This issue will be fixed in an upcoming release. Meanwhile, the workaround for API users is to exclude the maxLength parameter from the payload. This issue does not affect SDK users.

• PB-80669: Sometimes an account owner with the User Management permission cannot delete other users from their account. Recent code changes mean that deleting other users now requires both the User Management permission and the Roles permission. A sufficient workaround is to assign the account owner the Admin role (via OneSpan Sign BackOffice).

• PB-82567: Giving a group of checkboxes and a group of radio buttons the same name causes errors in the Signer Experience. The workaround is to ensure that these different kinds of groups have different names.

• PB-82023: Windows Explorer is the default file-compression application for versions 10 and 11 of Microsoft Windows. A bug or limitation in Windows Explorer is preventing users from viewing the content of the EslTransactionsPIIReport file created by the Schedule Reports feature of OneSpan Sign BackOffice. This problem can easily be mitigated by using a third-party file-compression application such as 7zip or winrar.

• PB-82852: When trying to create an accessible transaction, an "HTTP 400 Bad Request" error occurs if the parameters Stop Image Rendering and Extract Text Tags are both enabled in OneSpan Sign BackOffice. This issue will be fixed in an upcoming release.

• PB-83384: When trying to confirm signed documents (accessible or not), the Confirm button sometimes fails to respond when it's clicked. This occurs only if the name in one of the documents' Signature Fields contains a period (.). The functionality of the Confirm button can easily be restored by refreshing the browser.

• PB-83688: This issue arises when a signer repeatedly fails to authenticate themselves via ID Verification, and is locked out of a transaction. When the sender subsequently views that signer’s status in the User Experience, they should see a “locked signer” icon. The sender can then interact with that icon to unlock the signer, and resend the transaction. The problem is that the icon is not appearing, so the signer cannot be unlocked.

• PB-83742: Signing a document on Windows 11 via PCC with a soft certificate sometimes causes a Personal Certificate Client Error. The document cannot be signed because the certificate selected for this purpose is invalid. If this happens, please select a different certificate and try again.

• PB-83815: When signed documents are viewed using the PDF Preview feature of Firefox or a Chromium-based browser, the browser may fail to correctly render certain components (e.g., a cross in a checkbox). If this happens, please view the document using Adobe Reader/Acrobat Pro.

• PB-84199: An issue arises when the Signature Navigator has been configured to iterate through a document’s checkboxes. The problem is that it skips over checkboxes if they are in a Checkbox Group.

• PB-84341: If a signer has been assigned the SMS authentication method, using a Safari v13 browser with iOS 13 crashes the signing process. The error message that appears is Unhandled Server Error. As a workaround, signers can do any of the following: (1) use a different browser; (2) upgrade to a higher version of Safari; (3) upgrade to a higher version of iOS.

• PB-84954: An issue arises in the following circumstances: (1)a template is created with multiple signers, one of whom is assigned Conditional Fields; (2) a transaction is created from the template, and the signer with the Conditional Fields is removed; (3) the transaction is distributed for signing; (4) a signer completes their portion, and clicks Confirm. At this point, an error message appears. This issue will be fixed in an upcoming release. Meanwhile, the workaround is to: (1) manually delete the relevant document from the transaction; (2) add the document to the transaction again; (3) redistribute the transaction for signing.