The fix for CVE-2021-21148 has added a check in |ValueSerializer::WriteJSArrayBuffer| to make sure non-detachable array buffers cannot be transferred. The check can be bypassed with the help of asm.js and property getters.
ae2637e1d681177334781f4a6b614cf249946bb30e4223a9dc2793a92ea03f86