Hi,
No worries.
Even if javascript can access or even modify these cookies, they won't be able to do anything with them.
Their role is to store the cart id of the current user with his old session id in case his session changes (because it times out) so that the user can still see his cart on your website.
First, you can't overtake the cart if it's linked to a user account.
And second, for guests, even if the attacker would be able to overtake the cart of someone else it would just be able to see what products were in the cart. So it's not a security concern as he won't be able to overtake the would session with that, which could be problematic.
Finally, the HttpOnly flag is almost useless as it can be circumvented and attackers usually use other; more effective, methods:
portswigger.net/research/web-storage-the...sion-tokens#httponly
Similarly, not having a CSRF token for the add to cart process is not a problem. It would only allow an attacker to force a product of your website to the cart of your users. Adding such a token would even be a problem as it would prevent some easy customization with just the add to cart link of the products that many merchants rely on in their shop.