i told Apple on 23rd of February about this and never got any reply.
so i kept quiet but since these "exploits" are on the rise and it's so easy to protect yourself - here you go :
of course you have to know the exact location of the program on the computer, and this can be a problem,
since all .dmg files are mounted in the same location.
so after the user mounted the .dmg file it could be possible to trick someone to click this link to start HelpViewer.
there is an application to download named moreInternet, a freeware preference panel
to specify which applications are set as helpers for internet protocols (made by monkeyfood.com),
which you can use to change the "help:" protocol to some other program.
(note that this has to be done for each user on the computer)