CC @piaskowyk. _WORKLET_RUNTIME was added in software-mansion#2253 and software-mansion#2656. We're not interested in supporting it, so we can just remove it in our fork. But I think it's important for the upstream version to fix this issue.

Note that this isn't a vulnerability, but a hardening measure. The code is writing to the workletRuntimeData buffer without checking it's length is the size of a pointer. Normally, this won't be a problem. But if some code messes with the ArrayBuffer global, it might be possible that it performs an out-of-bounds write. For example, doing this:

let ab = ArrayBuffer; global.ArrayBuffer = function(){return new ab(0)}

would make workletRuntimeValue to point to an ArrayBuffer of length 0, but the code would still write some data into an invalid memory location.

My recommendation to fix this would be to assert that the ArrayBuffer instance has the proper length before writing any data. I think the length could be obtained using workletRuntimeValue.getObject(runtime).getArrayBuffer(runtime).length(runtime).

As an extra security measure, I'd also suggest to only set the _WORKLET_RUNTIME global when a configuration flag is on. Most users don't need it, so it would be better that it's off by default. This is important to mitigate the information leak caused by reading the value of _WORKLET_RUNTIME.