These are help files, correct?

I've done some Visual Basic programming and generated help systems using .chm's. I think the potential dangers could be twofold.

The help systems that use chm's are basically a browser nested inside an executable program. I wouldn't be as concerned about Javascript on a local system because many local reading abilities are restricted (but I could be wrong.) I would be more worried about potential VBscript in these files. VBScript can access ActiveX objects which can access local files. So a vulnerability in any known ActiveX objects or the help executable itself could be exploited.

I would say in both cases, the potential is there, although I've no idea of the extent of the danger.

I had a mission critical box almost infected with a trojan through one of those last week. Even though it was already caught up in my defences while downloading.

spent 3 hours exterminating all traces of it just to make sure.

...

*pfft*

In a nutshell, they can.

Your chm file may access files over the internet, I have a few of them from sources I do trust and they all collect their images on-line.

As you should know, it is possible to have scripts as part of an image makeup, especially if they are GIF's which have been exploited before and you have images that are completely dynamic so god only knows what you could be loading if you happen to cop for a chm thats being used as a foothold prior to an attack.