Authors: Istvn Kurucsai and Vignesh S Rao looked at patch gapping Chrome on two separate occasions. The conclusion was that exploiting 1day vulnerabilities well before the fixes were distributed through the stable channel is feasible and allows potential attackers to have 0day-like capabilities with only known vulnerabilities. This is compounded by the fact that regression tests are often included with patches, reducing exploit development time significantly. The vulnerability results from this oversight, as JSCreate accesses the prototype of the new JSCallReducer target, which can be intercepted by a Proxy.”]
Source: https://blog.exodusintel.com/2020/02/24/a-eulogy-for-patch-gapping-chrome/